Edit tour

Windows Analysis Report
0442.pdf.exe

Overview

General Information

Sample name:	0442.pdf.exe renamed because original name is a hash value
Original sample name:	.pdf.exe
Analysis ID:	1580689
MD5:	4f6b2b9ee57c50d6c505d0cdada4803e
SHA1:	ad7dee6f1f71c4fe6299170a160592f139390e12
SHA256:	62410e8399acf7834c74012783bde3fe9ff244e048141c4a96a65bec06895f37
Infos:

Detection

Score:	92
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Multi AV Scanner detection for submitted file

Sigma detected: Suspicious Double Extension File Execution

Connects to many ports of the same IP (likely port scanning)

Document exploit detected (process start blacklist hit)

Enables network access during safeboot for specific services

Enables remote desktop connection

Initial sample is a PE file and has a suspicious name

Uses an obfuscated file name to hide its real file extension (double extension)

Uses ping.exe to check the status of other devices and networks

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Checks for available system drives (often done to infect USB drives)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to launch a program with higher privileges

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Creates files inside the system directory

Creates or modifies windows services

Deletes files inside the Windows folder

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

File is packed with WinRar

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Internet Provider seen in connection with other malware

Launches processes in debugging mode, may be used to hinder debugging

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

PE file contains strange resources

Queries the installation date of Windows

Queries the product ID of Windows

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Shows file infection / information gathering behavior (enumerates multiple directory for files)

Sigma detected: Communication To Uncommon Destination Ports

Stores files to the Windows start menu directory

Stores large binary data to the registry

Tries to disable installed Antivirus / HIPS / PFW

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w7x64

0442.pdf.exe (PID: 3388 cmdline: "C:\Users\user\Desktop\0442.pdf.exe" MD5: 4F6B2B9EE57C50D6C505D0CDADA4803E)

msiexec.exe (PID: 3500 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ms.msi" /qn MD5: AC2E7152124CEED36846BD1B6592A00F)

cmd.exe (PID: 3512 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\start.bat" " MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)

PING.EXE (PID: 3576 cmdline: ping 8.8.8.8 MD5: 5FB30FE90736C7FC77DE637021B1CE7C)

AcroRd32.exe (PID: 3568 cmdline: "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\user\AppData\Local\Temp\doc.pdf" MD5: 2F8D93826B8CBF9290BC57535C7A6817)

AcroRd32.exe (PID: 3664 cmdline: "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\user\AppData\Local\Temp\doc2.pdf" MD5: 2F8D93826B8CBF9290BC57535C7A6817)

RdrCEF.exe (PID: 3980 cmdline: "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043 MD5: 326A645391A97C760B60C558A35BB068)

msiexec.exe (PID: 3560 cmdline: C:\Windows\system32\msiexec.exe /V MD5: AC2E7152124CEED36846BD1B6592A00F)

ROMFUSClient.exe (PID: 3888 cmdline: "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /server /siex /silentinstall MD5: 63D0964168B927D00064AA684E79A300)

ROMServer.exe (PID: 3952 cmdline: "C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe" /siex /silentinstall MD5: F3D74B072B9697CF64B0B8445FDC8128)

ROMFUSClient.exe (PID: 3188 cmdline: "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /server /firewall MD5: 63D0964168B927D00064AA684E79A300)

ROMServer.exe (PID: 3464 cmdline: "C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe" /firewall MD5: F3D74B072B9697CF64B0B8445FDC8128)

ROMFUSClient.exe (PID: 2504 cmdline: "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /server /start MD5: 63D0964168B927D00064AA684E79A300)

ROMServer.exe (PID: 3508 cmdline: "C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe" /start MD5: F3D74B072B9697CF64B0B8445FDC8128)

ROMServer.exe (PID: 3424 cmdline: "C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe" MD5: F3D74B072B9697CF64B0B8445FDC8128)

ROMFUSClient.exe (PID: 3712 cmdline: "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" MD5: 63D0964168B927D00064AA684E79A300)

ROMFUSClient.exe (PID: 3568 cmdline: "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /tray MD5: 63D0964168B927D00064AA684E79A300)

ROMFUSClient.exe (PID: 3656 cmdline: "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /tray MD5: 63D0964168B927D00064AA684E79A300)

ROMFUSClient.exe (PID: 1200 cmdline: "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /tray MD5: 63D0964168B927D00064AA684E79A300)

ROMFUSClient.exe (PID: 2176 cmdline: "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /tray MD5: 63D0964168B927D00064AA684E79A300)

ROMFUSClient.exe (PID: 3032 cmdline: "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /tray MD5: 63D0964168B927D00064AA684E79A300)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author
C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
C:\Program Files (x86)\LiteManager Pro - Server\files\ROMViewer.exe	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000009.00000000.367769317.0000000000401000.00000020.00000001.01000000.00000007.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
0000000B.00000000.369864621.0000000000401000.00000020.00000001.01000000.00000008.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
9.0.ROMFUSClient.exe.400000.0.unpack	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
11.0.ROMServer.exe.400000.0.unpack	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Sigma Signatures

System Summary

Sigma detected: Suspicious Double Extension File Execution

Source: Process started

Author: Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Users\user\Desktop\0442.pdf.exe", CommandLine: "C:\Users\user\Desktop\0442.pdf.exe", CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\0442.pdf.exe, NewProcessName: C:\Users\user\Desktop\0442.pdf.exe, OriginalFileName: C:\Users\user\Desktop\0442.pdf.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1244, ProcessCommandLine: "C:\Users\user\Desktop\0442.pdf.exe", ProcessId: 3388, ProcessName: 0442.pdf.exe

Sigma detected: Communication To Uncommon Destination Ports

Source: Network Connection

Author: Florian Roth (Nextron Systems): Data: DestinationIp: 101.99.91.150, DestinationIsIpv6: false, DestinationPort: 8080, EventID: 3, Image: , Initiated: true, ProcessId: , Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49225

Sigma detected: Modification of IE Registry Settings

Source: Registry Key set

Author: frack113: Data: Details: 46 00 00 00 2A 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe, ProcessId: 3664, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: 0442.pdf.exe	ReversingLabs: Detection: 26%
Source: 0442.pdf.exe	Virustotal: Detection: 47%			Perma Link

Source: C:\Windows\System32\msiexec.exe

File created: C:\Program Files (x86)\LiteManager Pro - Server\EULA.rtf

Jump to behavior

Source: 0442.pdf.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:

Binary string: D:\Projects\WinRAR\sfx\build\sfxrar64\Release\sfxrar.pdb source: 0442.pdf.exe

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	File opened: c:
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

Directory queried: number of queries: 1148

Source: C:\Users\user\Desktop\0442.pdf.exe	Code function: 0_2_000000013F23B190 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,SendMessageW,SendMessageW,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,Sleep,UnmapViewOfFile,CloseHandle,ShowWindow,ShowWindow,SetDlgItemTextW,ShowWindow,SetDlgItemTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,SendMessageW,SendDlgItemMessageW,GetDlgItem,SendMessageW,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,SendMessageW,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	0_2_000000013F23B190
Source: C:\Users\user\Desktop\0442.pdf.exe	Code function: 0_2_000000013F2240BC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	0_2_000000013F2240BC
Source: C:\Users\user\Desktop\0442.pdf.exe	Code function: 0_2_000000013F24FCA0 FindFirstFileExA,	0_2_000000013F24FCA0

Software Vulnerabilities

Document exploit detected (process start blacklist hit)

Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

Process created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe

Jump to behavior

Networking

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 101.99.91.150 ports 5651,8080,1,5,6,80

Enables network access during safeboot for specific services

Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe

Registry value created: NULL Service

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\PING.EXE ping 8.8.8.8

Source: global traffic

TCP traffic: 192.168.2.22:49161 -> 101.99.91.150:5651

Source: Joe Sandbox View

ASN Name: SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY

Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.91.150
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.91.150
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.91.150
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.91.150
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.91.150
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.91.150
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.91.150
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.91.150
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.91.150
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.91.150
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.91.150
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.91.150
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.91.150
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.91.150
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.91.150
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.91.150
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.91.150
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.91.150
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.91.150
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.91.150
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.91.150
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.91.150
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.91.150
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.91.150
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.91.150
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.91.150
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.91.150
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.91.150
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.91.150
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.91.150
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.91.150
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.91.150
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.91.150
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.91.150
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.91.150
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.91.150
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.91.150
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.91.150
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.91.150
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.91.150
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.91.150
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.91.150
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.91.150
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.91.150
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.91.150
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.91.150
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.91.150
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.91.150
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.91.150
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.91.150

Source: ROMServer.exe, 0000000B.00000002.371929484.0000000000D60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: ROMFUSClient.exe.5.dr	String found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z
Source: ROMFUSClient.exe.5.dr	String found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0
Source: ROMFUSClient.exe.5.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: 0442.pdf.exe, 00000000.00000003.349223564.00000000030C6000.00000004.00000020.00020000.00000000.sdmp, 0442.pdf.exe, 00000000.00000003.349223564.0000000003088000.00000004.00000020.00020000.00000000.sdmp, ms.msi.0.dr, 6aadf0.msi.5.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: ROMFUSClient.exe.5.dr	String found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#
Source: ROMFUSClient.exe.5.dr	String found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#
Source: ROMFUSClient.exe.5.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: 6aadef.rbs.5.dr, ROMFUSClient.exe.5.dr	String found in binary or memory: http://litemanager.com/
Source: ROMServer.exe, 00000011.00000002.626318428.0000000001433000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://litemanager.com/03C
Source: ROMFUSClient.exe, 00000013.00000002.626381521.0000000002663000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://litemanager.com/03f
Source: ROMServer.exe, 00000011.00000002.626318428.000000000142C000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe, 00000013.00000002.626381521.000000000265C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://litemanager.com/1
Source: ROMFUSClient.exe, 00000009.00000000.369296517.00000000008E4000.00000002.00000001.01000000.00000007.sdmp, ROMServer.exe, 0000000B.00000000.370333711.00000000009FE000.00000002.00000001.01000000.00000008.sdmp, Russian.lg.5.dr, ROMFUSClient.exe.5.dr	String found in binary or memory: http://litemanager.ru/
Source: ROMServer.exe, 0000000B.00000000.369864621.0000000000401000.00000020.00000001.01000000.00000008.sdmp	String found in binary or memory: http://litemanager.ru/noip.txtU
Source: ROMServer.exe, 0000000B.00000002.371929484.0000000000D60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: ROMFUSClient.exe.5.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: 0442.pdf.exe, 00000000.00000003.349223564.00000000030C6000.00000004.00000020.00020000.00000000.sdmp, 0442.pdf.exe, 00000000.00000003.349223564.0000000003088000.00000004.00000020.00020000.00000000.sdmp, ms.msi.0.dr, 6aadf0.msi.5.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: 0442.pdf.exe, 00000000.00000003.349223564.00000000030C6000.00000004.00000020.00020000.00000000.sdmp, 0442.pdf.exe, 00000000.00000003.349223564.0000000003088000.00000004.00000020.00020000.00000000.sdmp, ms.msi.0.dr, 6aadf0.msi.5.dr	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: 0442.pdf.exe, 00000000.00000003.349223564.00000000030C6000.00000004.00000020.00020000.00000000.sdmp, 0442.pdf.exe, 00000000.00000003.349223564.0000000003088000.00000004.00000020.00020000.00000000.sdmp, ms.msi.0.dr, 6aadf0.msi.5.dr	String found in binary or memory: http://s2.symcb.com0
Source: 0442.pdf.exe, 00000000.00000003.349223564.00000000030C6000.00000004.00000020.00020000.00000000.sdmp, 0442.pdf.exe, 00000000.00000003.349223564.0000000003088000.00000004.00000020.00020000.00000000.sdmp, ms.msi.0.dr, 6aadf0.msi.5.dr	String found in binary or memory: http://sv.symcb.com/sv.crl0f
Source: 0442.pdf.exe, 00000000.00000003.349223564.00000000030C6000.00000004.00000020.00020000.00000000.sdmp, 0442.pdf.exe, 00000000.00000003.349223564.0000000003088000.00000004.00000020.00020000.00000000.sdmp, ms.msi.0.dr, 6aadf0.msi.5.dr	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: 0442.pdf.exe, 00000000.00000003.349223564.00000000030C6000.00000004.00000020.00020000.00000000.sdmp, 0442.pdf.exe, 00000000.00000003.349223564.0000000003088000.00000004.00000020.00020000.00000000.sdmp, ms.msi.0.dr, 6aadf0.msi.5.dr	String found in binary or memory: http://sv.symcd.com0&
Source: 0442.pdf.exe, 00000000.00000003.349223564.00000000030C6000.00000004.00000020.00020000.00000000.sdmp, 0442.pdf.exe, 00000000.00000003.349223564.0000000003088000.00000004.00000020.00020000.00000000.sdmp, ms.msi.0.dr, 6aadf0.msi.5.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: 0442.pdf.exe, 00000000.00000003.349223564.00000000030C6000.00000004.00000020.00020000.00000000.sdmp, 0442.pdf.exe, 00000000.00000003.349223564.0000000003088000.00000004.00000020.00020000.00000000.sdmp, ms.msi.0.dr, 6aadf0.msi.5.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: 0442.pdf.exe, 00000000.00000003.349223564.00000000030C6000.00000004.00000020.00020000.00000000.sdmp, 0442.pdf.exe, 00000000.00000003.349223564.0000000003088000.00000004.00000020.00020000.00000000.sdmp, ms.msi.0.dr, 6aadf0.msi.5.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: 6aadef.rbs.5.dr	String found in binary or memory: http://www.LiteManagerTeam.com
Source: ROMFUSClient.exe, 00000009.00000000.367769317.0000000000401000.00000020.00000001.01000000.00000007.sdmp, ROMFUSClient.exe, 00000009.00000003.372116536.00000000023CF000.00000004.00001000.00020000.00000000.sdmp, ROMServer.exe, 0000000B.00000000.369864621.0000000000951000.00000020.00000001.01000000.00000008.sdmp, ROMServer.exe, 0000000B.00000003.371164458.000000000290F000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe, 0000000D.00000003.385062020.00000000023BF000.00000004.00001000.00020000.00000000.sdmp, ROMServer.exe, 0000000E.00000003.384329527.000000000270F000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe, 0000000F.00000003.395495642.00000000024AF000.00000004.00001000.00020000.00000000.sdmp, ROMServer.exe, 00000010.00000003.391198140.00000000027BF000.00000004.00001000.00020000.00000000.sdmp, ROMServer.exe, 00000011.00000002.626318428.000000000139F000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe, 00000012.00000002.626422084.00000000024AF000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe, 00000013.00000002.626381521.00000000025CF000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe, 00000014.00000003.393648481.000000000256F000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe, 00000015.00000003.394081469.00000000024BF000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe, 00000017.00000003.397526328.0000000000CBF000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe.5.dr	String found in binary or memory: http://www.indyproject.org/
Source: 0442.pdf.exe, 00000000.00000003.349223564.00000000030C6000.00000004.00000020.00020000.00000000.sdmp, 0442.pdf.exe, 00000000.00000003.349223564.0000000003088000.00000004.00000020.00020000.00000000.sdmp, ms.msi.0.dr, 6aadf0.msi.5.dr	String found in binary or memory: http://www.symauth.com/cps0(
Source: 0442.pdf.exe, 00000000.00000003.349223564.00000000030C6000.00000004.00000020.00020000.00000000.sdmp, 0442.pdf.exe, 00000000.00000003.349223564.0000000003088000.00000004.00000020.00020000.00000000.sdmp, ms.msi.0.dr, 6aadf0.msi.5.dr	String found in binary or memory: http://www.symauth.com/rpa00
Source: 0442.pdf.exe, 00000000.00000003.349223564.00000000030C6000.00000004.00000020.00020000.00000000.sdmp, 0442.pdf.exe, 00000000.00000003.349223564.0000000003088000.00000004.00000020.00020000.00000000.sdmp, ms.msi.0.dr, 6aadf0.msi.5.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: 0442.pdf.exe, 00000000.00000003.349223564.00000000030C6000.00000004.00000020.00020000.00000000.sdmp, 0442.pdf.exe, 00000000.00000003.349223564.0000000003088000.00000004.00000020.00020000.00000000.sdmp, ms.msi.0.dr, 6aadf0.msi.5.dr	String found in binary or memory: https://d.symcb.com/rpa0
Source: ROMFUSClient.exe, 00000009.00000000.367769317.0000000000401000.00000020.00000001.01000000.00000007.sdmp, ROMServer.exe, 0000000B.00000000.369864621.0000000000401000.00000020.00000001.01000000.00000008.sdmp, ROMFUSClient.exe.5.dr	String found in binary or memory: https://litemanager.com/romversion.txt
Source: ROMFUSClient.exe, 00000009.00000000.367769317.0000000000401000.00000020.00000001.01000000.00000007.sdmp, ROMServer.exe, 0000000B.00000000.369864621.0000000000401000.00000020.00000001.01000000.00000008.sdmp, ROMFUSClient.exe.5.dr	String found in binary or memory: https://litemanager.com/soft/pro/ROMServer.zip
Source: ROMFUSClient.exe.5.dr	String found in binary or memory: https://sectigo.com/CPS0

Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe

Window created: window name: CLIPBRDWNDCLASS

System Summary

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: 0442.pdf.exe

Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Memory allocated: 770B0000 page execute and read and write
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Memory allocated: 770B0000 page execute and read and write
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Memory allocated: 770B0000 page execute and read and write
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Memory allocated: 770B0000 page execute and read and write
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Memory allocated: 770B0000 page execute and read and write
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Memory allocated: 770B0000 page execute and read and write
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Memory allocated: 770B0000 page execute and read and write
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Memory allocated: 770B0000 page execute and read and write
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Memory allocated: 770B0000 page execute and read and write
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Memory allocated: 770B0000 page execute and read and write

Source: C:\Users\user\Desktop\0442.pdf.exe

Code function: 0_2_000000013F21C2F0: CreateFileW,CloseHandle,wcscpy,wcscpy,wcscpy,wcscpy,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,

0_2_000000013F21C2F0

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\6aadec.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{71FFA475-24D5-44FB-A51F-39B699E3D82C}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\6aadee.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\6aadee.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI8824.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\ARPPRODUCTICON.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\ROMServer.exe_9D09B2BC25A2414CBD848E2B75898676.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\UNINST_Uninstall_L_78AA5B6662514D94A847D6C603AF0895.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\stop_server_51B516B87C64408FA3C56354EA2277C2.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\config_server_B6BD2967C67B44649764F06ADFFD6458.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\6aadf0.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\6aadf0.msi	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	File created: C:\Windows\SysWOW64\ROMwln.dll	Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\6aadee.ipi

Jump to behavior

Source: C:\Users\user\Desktop\0442.pdf.exe	Code function: 0_2_000000013F231F20	0_2_000000013F231F20
Source: C:\Users\user\Desktop\0442.pdf.exe	Code function: 0_2_000000013F215E24	0_2_000000013F215E24
Source: C:\Users\user\Desktop\0442.pdf.exe	Code function: 0_2_000000013F23CE88	0_2_000000013F23CE88
Source: C:\Users\user\Desktop\0442.pdf.exe	Code function: 0_2_000000013F224928	0_2_000000013F224928
Source: C:\Users\user\Desktop\0442.pdf.exe	Code function: 0_2_000000013F21F930	0_2_000000013F21F930
Source: C:\Users\user\Desktop\0442.pdf.exe	Code function: 0_2_000000013F240754	0_2_000000013F240754
Source: C:\Users\user\Desktop\0442.pdf.exe	Code function: 0_2_000000013F233484	0_2_000000013F233484
Source: C:\Users\user\Desktop\0442.pdf.exe	Code function: 0_2_000000013F22A4AC	0_2_000000013F22A4AC
Source: C:\Users\user\Desktop\0442.pdf.exe	Code function: 0_2_000000013F23B190	0_2_000000013F23B190
Source: C:\Users\user\Desktop\0442.pdf.exe	Code function: 0_2_000000013F22AF18	0_2_000000013F22AF18
Source: C:\Users\user\Desktop\0442.pdf.exe	Code function: 0_2_000000013F238DF4	0_2_000000013F238DF4
Source: C:\Users\user\Desktop\0442.pdf.exe	Code function: 0_2_000000013F240754	0_2_000000013F240754
Source: C:\Users\user\Desktop\0442.pdf.exe	Code function: 0_2_000000013F232D58	0_2_000000013F232D58
Source: C:\Users\user\Desktop\0442.pdf.exe	Code function: 0_2_000000013F248C1C	0_2_000000013F248C1C
Source: C:\Users\user\Desktop\0442.pdf.exe	Code function: 0_2_000000013F255AF8	0_2_000000013F255AF8
Source: C:\Users\user\Desktop\0442.pdf.exe	Code function: 0_2_000000013F225B60	0_2_000000013F225B60
Source: C:\Users\user\Desktop\0442.pdf.exe	Code function: 0_2_000000013F22BB90	0_2_000000013F22BB90
Source: C:\Users\user\Desktop\0442.pdf.exe	Code function: 0_2_000000013F234B98	0_2_000000013F234B98
Source: C:\Users\user\Desktop\0442.pdf.exe	Code function: 0_2_000000013F221A48	0_2_000000013F221A48
Source: C:\Users\user\Desktop\0442.pdf.exe	Code function: 0_2_000000013F24FA94	0_2_000000013F24FA94
Source: C:\Users\user\Desktop\0442.pdf.exe	Code function: 0_2_000000013F211AA4	0_2_000000013F211AA4
Source: C:\Users\user\Desktop\0442.pdf.exe	Code function: 0_2_000000013F232AB0	0_2_000000013F232AB0
Source: C:\Users\user\Desktop\0442.pdf.exe	Code function: 0_2_000000013F2489A0	0_2_000000013F2489A0
Source: C:\Users\user\Desktop\0442.pdf.exe	Code function: 0_2_000000013F233964	0_2_000000013F233964
Source: C:\Users\user\Desktop\0442.pdf.exe	Code function: 0_2_000000013F22C96C	0_2_000000013F22C96C
Source: C:\Users\user\Desktop\0442.pdf.exe	Code function: 0_2_000000013F24C838	0_2_000000013F24C838
Source: C:\Users\user\Desktop\0442.pdf.exe	Code function: 0_2_000000013F214840	0_2_000000013F214840
Source: C:\Users\user\Desktop\0442.pdf.exe	Code function: 0_2_000000013F2176C0	0_2_000000013F2176C0
Source: C:\Users\user\Desktop\0442.pdf.exe	Code function: 0_2_000000013F252550	0_2_000000013F252550
Source: C:\Users\user\Desktop\0442.pdf.exe	Code function: 0_2_000000013F22B534	0_2_000000013F22B534
Source: C:\Users\user\Desktop\0442.pdf.exe	Code function: 0_2_000000013F2353F0	0_2_000000013F2353F0
Source: C:\Users\user\Desktop\0442.pdf.exe	Code function: 0_2_000000013F21A310	0_2_000000013F21A310
Source: C:\Users\user\Desktop\0442.pdf.exe	Code function: 0_2_000000013F21C2F0	0_2_000000013F21C2F0
Source: C:\Users\user\Desktop\0442.pdf.exe	Code function: 0_2_000000013F217288	0_2_000000013F217288
Source: C:\Users\user\Desktop\0442.pdf.exe	Code function: 0_2_000000013F22126C	0_2_000000013F22126C
Source: C:\Users\user\Desktop\0442.pdf.exe	Code function: 0_2_000000013F22F180	0_2_000000013F22F180
Source: C:\Users\user\Desktop\0442.pdf.exe	Code function: 0_2_000000013F2321D0	0_2_000000013F2321D0
Source: C:\Users\user\Desktop\0442.pdf.exe	Code function: 0_2_000000013F252080	0_2_000000013F252080

Source: ROMViewer.exe.5.dr	Static PE information: Resource name: RT_VERSION type: Intel ia64 COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: ROMServer.exe.5.dr	Static PE information: Resource name: RT_VERSION type: Intel ia64 COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: ROMServer.exe0.5.dr	Static PE information: Resource name: RT_VERSION type: Intel ia64 COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970

Source: ROMServer.exe.5.dr	Static PE information: Number of sections : 11 > 10
Source: ROMFUSClient.exe.5.dr	Static PE information: Number of sections : 11 > 10
Source: ROMServer.exe0.5.dr	Static PE information: Number of sections : 11 > 10
Source: ROMViewer.exe.5.dr	Static PE information: Number of sections : 11 > 10

Source: ROMViewer.exe.5.dr

Static PE information: Resource name: RT_RCDATA type: Delphi compiled form 'TfmEditBinaryValue'

Source: 0442.pdf.exe, 00000000.00000003.349223564.00000000030E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_IsIcoRes.exe< vs 0442.pdf.exe
Source: 0442.pdf.exe, 00000000.00000003.356497362.0000000000326000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAcroRd32.exe< vs 0442.pdf.exe
Source: 0442.pdf.exe, 00000000.00000003.356947644.0000000000326000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAcroRd32.exe< vs 0442.pdf.exe
Source: 0442.pdf.exe, 00000000.00000003.349223564.00000000030D2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_IsIcoRes.exe< vs 0442.pdf.exe
Source: 0442.pdf.exe, 00000000.00000003.349223564.000000000304C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_IsIcoRes.exe< vs 0442.pdf.exe
Source: 0442.pdf.exe, 00000000.00000003.349223564.000000000304C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSetAllUsers.dll< vs 0442.pdf.exe
Source: 0442.pdf.exe, 00000000.00000002.357560643.0000000000328000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAcroRd32.exe< vs 0442.pdf.exe
Source: 0442.pdf.exe, 00000000.00000003.349223564.00000000030EC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_IsIcoRes.exe< vs 0442.pdf.exe
Source: 0442.pdf.exe, 00000000.00000003.349223564.0000000003088000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameISRegSvr.dll vs 0442.pdf.exe

Source: classification engine

Classification label: mal92.troj.expl.evad.winEXE@49/43@0/2

Source: C:\Users\user\Desktop\0442.pdf.exe

Code function: 0_2_000000013F21B6D8 GetLastError,FormatMessageW,LocalFree,

0_2_000000013F21B6D8

Source: C:\Users\user\Desktop\0442.pdf.exe

Code function: 0_2_000000013F238624 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipAlloc,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,

0_2_000000013F238624

Source: C:\Windows\System32\msiexec.exe

File created: C:\Program Files (x86)\LiteManager Pro - Server

Jump to behavior

Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

File created: C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ConnectorIcons

Jump to behavior

Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\ROMFUSLocal
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\ROMFUSTray

Source: C:\Users\user\Desktop\0442.pdf.exe

File created: C:\Users\user\AppData\Local\Temp\__tmp_rar_sfx_access_check_6927208

Jump to behavior

Source: Yara match	File source: 9.0.ROMFUSClient.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.ROMServer.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000000.367769317.0000000000401000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.369864621.0000000000401000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\LiteManager Pro - Server\files\ROMViewer.exe, type: DROPPED

Source: C:\Users\user\Desktop\0442.pdf.exe

Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\start.bat" "

Source: C:\Windows\System32\cmd.exe	Console Write: ................................o.f..............<.......................C...V.. .D......`.I....p@H.............H.+...............D.............	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................................................0\|D......................D...V....................H...............+.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................................C.:.\.U.s.e.r.s.\.A.l.b.u.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.>...............+.....D..................I....	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................................p.i.n.g........./.........................+......$.I............/.................+.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................................ .8...8...8...8. ........................F...V..p.i.n.g.........p@H...............+.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................................................ ........................F...V..p.i.n.g.........p@H...............+.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: .........................................................................D...V....................H...............+.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................................C.:.\.U.s.e.r.s.\.A.l.b.u.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.>...............+.....D..................I....	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................................c.l.s.........../.........................+......$.I............/.................+.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: .........................................................................F...V..c.l.s...........p@H...............+.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: .........................................................................D...V....................H...............+.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................................C.:.\.U.s.e.r.s.\.A.l.b.u.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.>...............+.....D..................I....	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.e.l.........../.........................+......$.I............/.................+.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: .........................................................................F...V..d.e.l...........p@H.............................................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: .........................................................................F...V..d.e.l...........p@H...............+.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ...................I....................................@c.I..... ........+...............Yw............`.+.............X.......................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: .........................................................................D...V....................H...............+.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: .........................................................................D...V....................H...............+.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................................e.x.i.t..........&.I....................0........[n.............X%.I..............+.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: .........................................................................F...V..e.x.i.t.........p@H...............+.............................	Jump to behavior

Source: 0442.pdf.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Key opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Key opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Key opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Key opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Users\user\Desktop\0442.pdf.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\0442.pdf.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 0442.pdf.exe	ReversingLabs: Detection: 26%
Source: 0442.pdf.exe	Virustotal: Detection: 47%

Source: C:\Users\user\Desktop\0442.pdf.exe

File read: C:\Users\user\Desktop\0442.pdf.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\0442.pdf.exe "C:\Users\user\Desktop\0442.pdf.exe"
Source: C:\Users\user\Desktop\0442.pdf.exe	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ms.msi" /qn
Source: C:\Users\user\Desktop\0442.pdf.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\start.bat" "
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Users\user\Desktop\0442.pdf.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\user\AppData\Local\Temp\doc.pdf"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping 8.8.8.8
Source: C:\Users\user\Desktop\0442.pdf.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\user\AppData\Local\Temp\doc2.pdf"
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /server /siex /silentinstall
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process created: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe" /siex /silentinstall
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /server /firewall
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process created: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe" /firewall
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /server /start
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process created: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe" /start
Source: unknown	Process created: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe"
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Process created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe"
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Process created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /tray
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Process created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /tray
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Process created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /tray
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Process created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /tray
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Process created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /tray
Source: C:\Users\user\Desktop\0442.pdf.exe	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ms.msi" /qn	Jump to behavior
Source: C:\Users\user\Desktop\0442.pdf.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\start.bat" "	Jump to behavior
Source: C:\Users\user\Desktop\0442.pdf.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\user\AppData\Local\Temp\doc.pdf"	Jump to behavior
Source: C:\Users\user\Desktop\0442.pdf.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\user\AppData\Local\Temp\doc2.pdf"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping 8.8.8.8	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /server /siex /silentinstall	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /server /firewall	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /server /start	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe"	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process created: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe" /siex /silentinstall	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process created: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe" /firewall	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process created: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe" /start
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Process created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe"
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Process created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /tray
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Process created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /tray
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Process created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /tray
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Process created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /tray
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Process created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /tray

Source: C:\Users\user\Desktop\0442.pdf.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\0442.pdf.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\0442.pdf.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\0442.pdf.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0442.pdf.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\0442.pdf.exe	Section loaded: devrtl.dll	Jump to behavior
Source: C:\Users\user\Desktop\0442.pdf.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\0442.pdf.exe	Section loaded: ext-ms-win-kernel32-package-current-l1-1-0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: winbrand.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: devrtl.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: dsound.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: security.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: idndl.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: devrtl.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: avifil32.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: dsound.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: security.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: dsound.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: security.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: idndl.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: devrtl.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: wow64win.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: wow64cpu.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: winmm.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: avicap32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msvfw32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: netapi32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: srvcli.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: wkscli.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: avifil32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msacm32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: wsock32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: dsound.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: powrprof.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: dwmapi.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: wtsapi32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: winsta.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: security.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: wow64win.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: wow64cpu.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: winmm.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: avicap32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: msvfw32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: netapi32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: srvcli.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: wkscli.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: msacm32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: dsound.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: powrprof.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: dwmapi.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: wtsapi32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: winsta.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: security.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: idndl.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: winnsi.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: propsys.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: sfc_os.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: devrtl.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: mpr.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: wow64win.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: wow64cpu.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: winmm.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: avicap32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msvfw32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: netapi32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: srvcli.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: wkscli.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: avifil32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msacm32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: wsock32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: dsound.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: powrprof.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: dwmapi.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: wtsapi32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: winsta.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: security.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: wow64win.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: wow64cpu.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: winmm.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: avicap32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msvfw32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: netapi32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: srvcli.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: wkscli.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: avifil32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msacm32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: wsock32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: dsound.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: powrprof.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: wtsapi32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: winsta.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: security.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: idndl.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: winnsi.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: bcrypt.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msrle32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msvidc32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msyuv.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msyuv.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msyuv.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: iyuv_32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: iyuv_32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: tsbyuv.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: iccvid.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msrle32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msvidc32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msyuv.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msyuv.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msyuv.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: iyuv_32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: iyuv_32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: tsbyuv.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: iccvid.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msrle32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msvidc32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msyuv.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msyuv.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msyuv.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: iyuv_32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: iyuv_32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: tsbyuv.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: iccvid.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msrle32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msvidc32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msyuv.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msyuv.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msyuv.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: iyuv_32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: iyuv_32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: tsbyuv.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: iccvid.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msrle32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msvidc32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msyuv.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msyuv.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msyuv.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: iyuv_32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: iyuv_32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: tsbyuv.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: iccvid.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msrle32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msvidc32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msyuv.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msyuv.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msyuv.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: iyuv_32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: iyuv_32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: tsbyuv.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: iccvid.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msrle32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msvidc32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msyuv.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msyuv.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msyuv.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: iyuv_32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: iyuv_32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: tsbyuv.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: iccvid.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: shcore.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: wow64win.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: wow64cpu.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: winmm.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: avicap32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: msvfw32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: netapi32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: srvcli.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: wkscli.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: msacm32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: dsound.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: powrprof.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: dwmapi.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: wtsapi32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: winsta.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: security.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: idndl.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: winnsi.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: shcore.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: wow64win.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: wow64cpu.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: winmm.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: avicap32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: msvfw32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: netapi32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: srvcli.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: wkscli.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: msacm32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: dsound.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: powrprof.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: dwmapi.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: wtsapi32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: winsta.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: security.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: idndl.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: winnsi.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: wow64win.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: wow64cpu.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: winmm.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: avicap32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: msvfw32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: netapi32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: srvcli.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: wkscli.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: msacm32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: dsound.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: powrprof.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: dwmapi.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: wtsapi32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: winsta.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: security.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: idndl.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: winnsi.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: wow64win.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: wow64cpu.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: winmm.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: avicap32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: msvfw32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: netapi32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: srvcli.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: wkscli.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: msacm32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: dsound.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: powrprof.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: dwmapi.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: wtsapi32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: winsta.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: security.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: idndl.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: winnsi.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: wow64win.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: wow64cpu.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: winmm.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: avicap32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: msvfw32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: netapi32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: srvcli.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: wkscli.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: msacm32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: dsound.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: powrprof.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: dwmapi.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: wtsapi32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: winsta.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: security.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: idndl.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: winnsi.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: wow64win.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: wow64cpu.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: winmm.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: avicap32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: msvfw32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: netapi32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: srvcli.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: wkscli.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: msacm32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: dsound.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: powrprof.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: dwmapi.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: wtsapi32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: winsta.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: security.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: idndl.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: winnsi.dll

Source: C:\Users\user\Desktop\0442.pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: Start LM-Server.lnk.5.dr	LNK file: ..\..\..\..\..\..\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe
Source: Uninstall LiteManager - Server.lnk.5.dr	LNK file: ..\..\..\..\..\..\Windows\SysWOW64\msiexec.exe
Source: Stop LM-Server.lnk.5.dr	LNK file: ..\..\..\..\..\..\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe
Source: Settings for LM-Server.lnk.5.dr	LNK file: ..\..\..\..\..\..\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: 0442.pdf.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: 0442.pdf.exe

Static file information: File size 11409543 > 1048576

Source: 0442.pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 0442.pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 0442.pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 0442.pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 0442.pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 0442.pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 0442.pdf.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: 0442.pdf.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: D:\Projects\WinRAR\sfx\build\sfxrar64\Release\sfxrar.pdb source: 0442.pdf.exe

Source: 0442.pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 0442.pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 0442.pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 0442.pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 0442.pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\0442.pdf.exe

File created: C:\Users\user\AppData\Local\Temp\__tmp_rar_sfx_access_check_6927208

Jump to behavior

Source: 0442.pdf.exe	Static PE information: section name: .didat
Source: 0442.pdf.exe	Static PE information: section name: _RDATA
Source: ROMViewer.exe.5.dr	Static PE information: section name: .didata
Source: ROMFUSClient.exe.5.dr	Static PE information: section name: .didata
Source: ROMwln.dll.5.dr	Static PE information: section name: .didata
Source: ROMServer.exe.5.dr	Static PE information: section name: .didata
Source: HookDrv.dll.5.dr	Static PE information: section name: .didata
Source: ROMServer.exe0.5.dr	Static PE information: section name: .didata
Source: ROMwln.dll.11.dr	Static PE information: section name: .didata

Source: C:\Users\user\Desktop\0442.pdf.exe	Code function: 0_2_000000013F255156 push rsi; retf		0_2_000000013F255157
Source: C:\Users\user\Desktop\0442.pdf.exe	Code function: 0_2_000000013F255166 push rsi; retf		0_2_000000013F255167

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\config_server_B6BD2967C67B44649764F06ADFFD6458.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\stop_server_51B516B87C64408FA3C56354EA2277C2.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Jump to dropped file
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	File created: C:\Windows\SysWOW64\ROMwln.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\LiteManager Pro - Server\files\ROMServer.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\ARPPRODUCTICON.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\LiteManager Pro - Server\HookDrv.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\UNINST_Uninstall_L_78AA5B6662514D94A847D6C603AF0895.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\LiteManager Pro - Server\ROMwln.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\LiteManager Pro - Server\AledensoftIpcServer.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\LiteManager Pro - Server\files\ROMViewer.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\ROMServer.exe_9D09B2BC25A2414CBD848E2B75898676.exe	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\config_server_B6BD2967C67B44649764F06ADFFD6458.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\stop_server_51B516B87C64408FA3C56354EA2277C2.exe	Jump to dropped file
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	File created: C:\Windows\SysWOW64\ROMwln.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\ARPPRODUCTICON.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\UNINST_Uninstall_L_78AA5B6662514D94A847D6C603AF0895.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\ROMServer.exe_9D09B2BC25A2414CBD848E2B75898676.exe	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe

File created: C:\Program Files (x86)\LiteManager Pro - Server\EULA.rtf

Jump to behavior

Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\eventlog\Application\romserver.exe

Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LiteManager Pro - Server	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LiteManager Pro - Server\Start LM-Server.lnk	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LiteManager Pro - Server\Uninstall LiteManager - Server.lnk	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LiteManager Pro - Server\Stop LM-Server.lnk	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LiteManager Pro - Server\Settings for LM-Server.lnk	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Source: initial sample

Icon embedded in binary file: icon matches a legit application icon: download (132).png

Uses an obfuscated file name to hide its real file extension (double extension)

Source: Possible double extension: pdf.exe

Static PE information: 0442.pdf.exe

Source: C:\Windows\System32\msiexec.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SYSTEM\LiteManager\v3.4\Server\Parameters NoIPSettings

Jump to behavior

Source: C:\Users\user\Desktop\0442.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0442.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0442.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0442.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0442.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0442.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0442.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0442.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0442.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0442.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0442.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0442.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX

Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Window / User API: threadDelayed 871
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Window / User API: threadDelayed 8814

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\config_server_B6BD2967C67B44649764F06ADFFD6458.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\stop_server_51B516B87C64408FA3C56354EA2277C2.exe	Jump to dropped file
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\ROMwln.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LiteManager Pro - Server\files\ROMServer.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\ARPPRODUCTICON.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LiteManager Pro - Server\HookDrv.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\UNINST_Uninstall_L_78AA5B6662514D94A847D6C603AF0895.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LiteManager Pro - Server\ROMwln.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LiteManager Pro - Server\AledensoftIpcServer.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LiteManager Pro - Server\files\ROMViewer.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\ROMServer.exe_9D09B2BC25A2414CBD848E2B75898676.exe	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe TID: 3544	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\msiexec.exe TID: 3544	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\msiexec.exe TID: 3732	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe TID: 3788	Thread sleep time: -70000s >= -30000s
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe TID: 3816	Thread sleep count: 52 > 30
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe TID: 2988	Thread sleep time: -435500s >= -30000s
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe TID: 2988	Thread sleep time: -4407000s >= -30000s

Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe

Last function: Thread delayed

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\Desktop\0442.pdf.exe	Code function: 0_2_000000013F23B190 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,SendMessageW,SendMessageW,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,Sleep,UnmapViewOfFile,CloseHandle,ShowWindow,ShowWindow,SetDlgItemTextW,ShowWindow,SetDlgItemTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,SendMessageW,SendDlgItemMessageW,GetDlgItem,SendMessageW,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,SendMessageW,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	0_2_000000013F23B190
Source: C:\Users\user\Desktop\0442.pdf.exe	Code function: 0_2_000000013F2240BC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	0_2_000000013F2240BC
Source: C:\Users\user\Desktop\0442.pdf.exe	Code function: 0_2_000000013F24FCA0 FindFirstFileExA,	0_2_000000013F24FCA0

Source: C:\Users\user\Desktop\0442.pdf.exe

Code function: 0_2_000000013F2416A4 VirtualQuery,GetSystemInfo,

0_2_000000013F2416A4

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\0442.pdf.exe

Code function: 0_2_000000013F2476D8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_000000013F2476D8

Source: C:\Users\user\Desktop\0442.pdf.exe

Code function: 0_2_000000013F250D20 GetProcessHeap,

0_2_000000013F250D20

Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Process token adjusted: Debug

Source: C:\Windows\System32\msiexec.exe

Process created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /server /start

Jump to behavior

Source: C:\Users\user\Desktop\0442.pdf.exe	Code function: 0_2_000000013F242D50 SetUnhandledExceptionFilter,_invalid_parameter_noinfo,	0_2_000000013F242D50
Source: C:\Users\user\Desktop\0442.pdf.exe	Code function: 0_2_000000013F2476D8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_000000013F2476D8
Source: C:\Users\user\Desktop\0442.pdf.exe	Code function: 0_2_000000013F242510 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_000000013F242510
Source: C:\Users\user\Desktop\0442.pdf.exe	Code function: 0_2_000000013F243354 SetUnhandledExceptionFilter,	0_2_000000013F243354
Source: C:\Users\user\Desktop\0442.pdf.exe	Code function: 0_2_000000013F243170 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_000000013F243170

Source: C:\Users\user\Desktop\0442.pdf.exe

Code function: 0_2_000000013F23B190 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,SendMessageW,SendMessageW,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,Sleep,UnmapViewOfFile,CloseHandle,ShowWindow,ShowWindow,SetDlgItemTextW,ShowWindow,SetDlgItemTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,SendMessageW,SendDlgItemMessageW,GetDlgItem,SendMessageW,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,SendMessageW,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,

0_2_000000013F23B190

Source: C:\Users\user\Desktop\0442.pdf.exe	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ms.msi" /qn	Jump to behavior
Source: C:\Users\user\Desktop\0442.pdf.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\start.bat" "	Jump to behavior
Source: C:\Users\user\Desktop\0442.pdf.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\user\AppData\Local\Temp\doc.pdf"	Jump to behavior
Source: C:\Users\user\Desktop\0442.pdf.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\user\AppData\Local\Temp\doc2.pdf"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping 8.8.8.8	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /server /siex /silentinstall	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /server /firewall	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process created: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe" /siex /silentinstall	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process created: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe" /firewall	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process created: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe" /start
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Process created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe"
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Process created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /tray
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Process created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /tray
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Process created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /tray
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Process created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /tray
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Process created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /tray

Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe

File opened: Windows Firewall: C:\Windows\SysWOW64\FirewallAPI.dll

Source: C:\Users\user\Desktop\0442.pdf.exe

Code function: 0_2_000000013F22DC70 cpuid

0_2_000000013F22DC70

Source: C:\Users\user\Desktop\0442.pdf.exe

Code function: GetLocaleInfoW,GetNumberFormatW,

0_2_000000013F23A2CC

Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Jump to behavior

Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\SysWOW64\msiexec.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\0442.pdf.exe

Code function: 0_2_000000013F240754 GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,MapViewOfFile,UnmapViewOfFile,CloseHandle,SetEnvironmentVariableW,GetLocalTime,swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,OleUninitialize,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,

0_2_000000013F240754

Source: C:\Users\user\Desktop\0442.pdf.exe

Code function: 0_2_000000013F224EB0 GetVersionExW,

0_2_000000013F224EB0

Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

Directory queried: number of queries: 1148

Remote Access Functionality

Enables remote desktop connection

Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server AllowRemoteRPC

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	1 Replication Through Removable Media	1 Exploitation for Client Execution	1 Scripting	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	OS Credential Dumping	1 System Time Discovery	1 Remote Desktop Protocol	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Command and Scripting Interpreter	1 DLL Side-Loading	1 DLL Side-Loading	11 Obfuscated Files or Information	LSASS Memory	11 Peripheral Device Discovery	Remote Desktop Protocol	1 Clipboard Data	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Windows Service	1 Windows Service	1 Software Packing	Security Account Manager	12 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	1 Registry Run Keys / Startup Folder	11 Process Injection	1 DLL Side-Loading	NTDS	55 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 Registry Run Keys / Startup Folder	1 File Deletion	LSA Secrets	2 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	222 Masquerading	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Modify Registry	DCSync	1 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	11 Process Injection	/etc/passwd and /etc/shadow	1 Remote System Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
0442.pdf.exe	26%	ReversingLabs	Win64.Trojan.Uztuby
0442.pdf.exe	47%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner
C:\Program Files (x86)\LiteManager Pro - Server\AledensoftIpcServer.dll	0%	ReversingLabs
C:\Program Files (x86)\LiteManager Pro - Server\HookDrv.dll	0%	ReversingLabs
C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	3%	ReversingLabs
C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	8%	ReversingLabs
C:\Program Files (x86)\LiteManager Pro - Server\ROMwln.dll	0%	ReversingLabs
C:\Program Files (x86)\LiteManager Pro - Server\files\ROMServer.exe	3%	ReversingLabs
C:\Program Files (x86)\LiteManager Pro - Server\files\ROMViewer.exe	3%	ReversingLabs
C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\ARPPRODUCTICON.exe	0%	ReversingLabs
C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\ROMServer.exe_9D09B2BC25A2414CBD848E2B75898676.exe	0%	ReversingLabs
C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\UNINST_Uninstall_L_78AA5B6662514D94A847D6C603AF0895.exe	0%	ReversingLabs
C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\config_server_B6BD2967C67B44649764F06ADFFD6458.exe	0%	ReversingLabs
C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\stop_server_51B516B87C64408FA3C56354EA2277C2.exe	0%	ReversingLabs
C:\Windows\SysWOW64\ROMwln.dll	0%	ReversingLabs

Source	Detection	Scanner	Label
http://litemanager.com/03C	0%	Avira URL Cloud	safe
http://litemanager.com/1	0%	Avira URL Cloud	safe
http://litemanager.com/03f	0%	Avira URL Cloud	safe
http://www.LiteManagerTeam.com	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://litemanager.com/1	ROMServer.exe, 00000011.00000002.626318428.000000000142C000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe, 00000013.00000002.626381521.000000000265C000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://litemanager.ru/	ROMFUSClient.exe, 00000009.00000000.369296517.00000000008E4000.00000002.00000001.01000000.00000007.sdmp, ROMServer.exe, 0000000B.00000000.370333711.00000000009FE000.00000002.00000001.01000000.00000008.sdmp, Russian.lg.5.dr, ROMFUSClient.exe.5.dr	false		high
http://litemanager.com/03C	ROMServer.exe, 00000011.00000002.626318428.0000000001433000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0	ROMFUSClient.exe.5.dr	false		high
https://litemanager.com/soft/pro/ROMServer.zip	ROMFUSClient.exe, 00000009.00000000.367769317.0000000000401000.00000020.00000001.01000000.00000007.sdmp, ROMServer.exe, 0000000B.00000000.369864621.0000000000401000.00000020.00000001.01000000.00000008.sdmp, ROMFUSClient.exe.5.dr	false		high
http://litemanager.com/03f	ROMFUSClient.exe, 00000013.00000002.626381521.0000000002663000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://sectigo.com/CPS0	ROMFUSClient.exe.5.dr	false		high
http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#	ROMFUSClient.exe.5.dr	false		high
https://litemanager.com/romversion.txt	ROMFUSClient.exe, 00000009.00000000.367769317.0000000000401000.00000020.00000001.01000000.00000007.sdmp, ROMServer.exe, 0000000B.00000000.369864621.0000000000401000.00000020.00000001.01000000.00000008.sdmp, ROMFUSClient.exe.5.dr	false		high
http://crl.thawte.com/ThawteTimestampingCA.crl0	0442.pdf.exe, 00000000.00000003.349223564.00000000030C6000.00000004.00000020.00020000.00000000.sdmp, 0442.pdf.exe, 00000000.00000003.349223564.0000000003088000.00000004.00000020.00020000.00000000.sdmp, ms.msi.0.dr, 6aadf0.msi.5.dr	false		high
http://ocsp.sectigo.com0	ROMFUSClient.exe.5.dr	false		high
http://www.symauth.com/rpa00	0442.pdf.exe, 00000000.00000003.349223564.00000000030C6000.00000004.00000020.00020000.00000000.sdmp, 0442.pdf.exe, 00000000.00000003.349223564.0000000003088000.00000004.00000020.00020000.00000000.sdmp, ms.msi.0.dr, 6aadf0.msi.5.dr	false		high
http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z	ROMFUSClient.exe.5.dr	false		high
http://ocsp.thawte.com0	0442.pdf.exe, 00000000.00000003.349223564.00000000030C6000.00000004.00000020.00020000.00000000.sdmp, 0442.pdf.exe, 00000000.00000003.349223564.0000000003088000.00000004.00000020.00020000.00000000.sdmp, ms.msi.0.dr, 6aadf0.msi.5.dr	false		high
http://litemanager.ru/noip.txtU	ROMServer.exe, 0000000B.00000000.369864621.0000000000401000.00000020.00000001.01000000.00000008.sdmp	false		high
http://litemanager.com/	6aadef.rbs.5.dr, ROMFUSClient.exe.5.dr	false		high
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s	ROMFUSClient.exe.5.dr	false		high
http://www.LiteManagerTeam.com	6aadef.rbs.5.dr	false	Avira URL Cloud: safe	unknown
http://www.indyproject.org/	ROMFUSClient.exe, 00000009.00000000.367769317.0000000000401000.00000020.00000001.01000000.00000007.sdmp, ROMFUSClient.exe, 00000009.00000003.372116536.00000000023CF000.00000004.00001000.00020000.00000000.sdmp, ROMServer.exe, 0000000B.00000000.369864621.0000000000951000.00000020.00000001.01000000.00000008.sdmp, ROMServer.exe, 0000000B.00000003.371164458.000000000290F000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe, 0000000D.00000003.385062020.00000000023BF000.00000004.00001000.00020000.00000000.sdmp, ROMServer.exe, 0000000E.00000003.384329527.000000000270F000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe, 0000000F.00000003.395495642.00000000024AF000.00000004.00001000.00020000.00000000.sdmp, ROMServer.exe, 00000010.00000003.391198140.00000000027BF000.00000004.00001000.00020000.00000000.sdmp, ROMServer.exe, 00000011.00000002.626318428.000000000139F000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe, 00000012.00000002.626422084.00000000024AF000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe, 00000013.00000002.626381521.00000000025CF000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe, 00000014.00000003.393648481.000000000256F000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe, 00000015.00000003.394081469.00000000024BF000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe, 00000017.00000003.397526328.0000000000CBF000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe.5.dr	false		high
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#	ROMFUSClient.exe.5.dr	false		high
http://www.symauth.com/cps0(	0442.pdf.exe, 00000000.00000003.349223564.00000000030C6000.00000004.00000020.00020000.00000000.sdmp, 0442.pdf.exe, 00000000.00000003.349223564.0000000003088000.00000004.00000020.00020000.00000000.sdmp, ms.msi.0.dr, 6aadf0.msi.5.dr	false		high
http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#	ROMFUSClient.exe.5.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
101.99.91.150	unknown	Malaysia		45839	SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY	true

Private

IP
192.168.2.255

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1580689
Start date and time:	2024-12-25 17:05:09 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 41s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	26
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	0442.pdf.exe renamed because original name is a hash value
Original Sample Name:	.pdf.exe
Detection:	MAL
Classification:	mal92.troj.expl.evad.winEXE@49/43@0/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 79 Number of non-executed functions: 91
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 95.101.50.149, 82.178.158.81, 82.178.158.124, 82.178.158.27
Excluded domains from analysis (whitelisted): ssl.adobe.com.edgekey.net, armmf.adobe.com, e4578.dscb.akamaiedge.net, acroipm2.adobe.com.edgesuite.net, a122.dscd.akamai.net, acroipm2.adobe.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
11:06:01	API Interceptor	10x Sleep call for process: 0442.pdf.exe modified
11:06:02	API Interceptor	281x Sleep call for process: msiexec.exe modified
11:06:04	API Interceptor	1329x Sleep call for process: AcroRd32.exe modified
11:06:10	API Interceptor	117060x Sleep call for process: ROMFUSClient.exe modified
11:06:11	API Interceptor	1196x Sleep call for process: RdrCEF.exe modified
11:06:11	API Interceptor	950x Sleep call for process: ROMServer.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY	94e.exe	Get hash	malicious	Remcos	Browse	101.99.94.64
	94e.exe	Get hash	malicious	Remcos	Browse	101.99.94.64
	0442.pdf.exe	Get hash	malicious	Remcos	Browse	101.99.94.64
	file.exe	Get hash	malicious	Invicta Stealer, XWorm	Browse	101.99.92.189
	http://www.recorderkorea.com/shop/proc/indb.cart.tab.php?action=ok&tab=today&type=delete&returnUrl=https://23058.hicleanly.ca/uoeujd/shuhsdy/odog/kratos/REDIRECT/Zl2jyY/compliance@yourmom.com	Get hash	malicious	Unknown	Browse	101.99.81.34
	lg1wwLsmCX.exe	Get hash	malicious	Unknown	Browse	101.99.75.174
	lg1wwLsmCX.exe	Get hash	malicious	Unknown	Browse	101.99.75.174
	IFhqcKaIol.lnk	Get hash	malicious	Unknown	Browse	101.99.75.174

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Program Files (x86)\LiteManager Pro - Server\HookDrv.dll	0438.pdf.exe	Get hash	malicious	Unknown	Browse
	0438.pdf.exe	Get hash	malicious	Unknown	Browse
	gBYz86HSwI.msi	Get hash	malicious	Unknown	Browse
	0438.pdf.exe	Get hash	malicious	Unknown	Browse
	0438.pdf.exe	Get hash	malicious	Unknown	Browse
	0438.pdf.exe	Get hash	malicious	Unknown	Browse
C:\Program Files (x86)\LiteManager Pro - Server\AledensoftIpcServer.dll	0438.pdf.exe	Get hash	malicious	Unknown	Browse
	0438.pdf.exe	Get hash	malicious	Unknown	Browse
	gBYz86HSwI.msi	Get hash	malicious	Unknown	Browse
	0438.pdf.exe	Get hash	malicious	Unknown	Browse
	0438.pdf.exe	Get hash	malicious	Unknown	Browse
	0438.pdf.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Config.Msi\6aadef.rbs

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	23375
Entropy (8bit):	5.1345642889180265
Encrypted:	false
SSDEEP:	192:qmC7jsftPtOCqZ+6ySyDy6ylNbywyYylygy2fhWBiBNMBiBNvBiBNq5yoio2YUgv:qH7WtPtOCqZ+cNbynfhzOj3I6sZssOVa
MD5:	5B84587FB4FAF977D290248919F4AF26
SHA1:	567976A812914C7849DAF681E549EA846306197B
SHA-256:	CA491974542077F122CFD8283CC65E0DAF64B16D4961ED5DBC72848D9F99DCB2
SHA-512:	31E91217171600399571CB230026D6DFD054EEAC85713D43D83D0F1D3078AD632013924BC7F0EAE739913BE372E9DD33699B77B0627FD789628FFEA2273A0807
Malicious:	false
Preview:	...@IXOS.@.....@$Y.Y.@.....@.....@.....@.....@.....@......&.{71FFA475-24D5-44FB-A51F-39B699E3D82C}..LiteManager Pro - Server..ms.msi.@.....@.....@.....@......ARPPRODUCTICON.exe..&.{9EF586E9-112B-4AAE-B439-5B62B7A0B1DE}.....@.....@.....@.....@.......@.....@.....@.......@......LiteManager Pro - Server......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{3244CDE6-6414-4399-B0D5-424562747210}&.{71FFA475-24D5-44FB-A51F-39B699E3D82C}.@......&.{4D4D18AA-F74D-4291-B5A9-93C3CC48B75F}&.{71FFA475-24D5-44FB-A51F-39B699E3D82C}.@......&.{641F154A-FEEF-4FA7-B5BF-414DB1DB8390}&.{71FFA475-24D5-44FB-A51F-39B699E3D82C}.@......&.{26EAB54E-4659-47E8-86F9-4CB74F7E03BE}&.{71FFA475-24D5-44FB-A51F-39B699E3D82C}.@......&.{596F4636-5D51-49F5-B3B4-F3C366E9DC23}&.{71FFA475-24D5-44FB-A51F-39B699E3D82C}.@......&.{596F4636-5D51-49F5-B3B4-F3C366E9DC23}&.{00000000-0000-0000-0000-000000000000}.@......&.{A3DC5A2F-2249-4674-BE

C:\Program Files (x86)\LiteManager Pro - Server\AledensoftIpcServer.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	132032
Entropy (8bit):	6.10195829980833
Encrypted:	false
SSDEEP:	3072:sh/1J7RYdzZU4Z5tegH1q888888888888W888888888882zgP:sh/jIZPZ5tJ8888888888888W888888s
MD5:	C40455A478E0B76521130D9DAAAADC4B
SHA1:	42DE923D5E36A9F56B002DD66DB245BC44480089
SHA-256:	308085BC357BF3A3BEE0D662FCC01628E9EE2FFD478AE0F1E7140939AD99B892
SHA-512:	76ED6D763F603BCAA7FE186C0A7449E614DCDB18036F7587C6E5A11C3F3269E400E3D2062856CC280AC20C094617924783B6C360F25AF66767DCC53C2F3045C9
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: 0438.pdf.exe, Detection: malicious, Browse Filename: 0438.pdf.exe, Detection: malicious, Browse Filename: gBYz86HSwI.msi, Detection: malicious, Browse Filename: 0438.pdf.exe, Detection: malicious, Browse Filename: 0438.pdf.exe, Detection: malicious, Browse Filename: 0438.pdf.exe, Detection: malicious, Browse
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....xK............................p........ ..........................................................................\.......\...............................x#...................................................................................text...$........................... ..`.itext.............................. ..`.data...0.... ......................@....bss....xN...@...........................idata..\...........................@....edata..\............&..............@..@.reloc..x#.......$...(..............@..B.rsrc................L..............@..@....................................@..@........................................................................................................................................

C:\Program Files (x86)\LiteManager Pro - Server\EULA.rtf

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1251, default language ID 1049
Category:	dropped
Size (bytes):	58679
Entropy (8bit):	4.738446173390891
Encrypted:	false
SSDEEP:	768:bkJC7UF9eVWSlBY8Aq9CBGDtD8gX1ZDCZjewbAsCw1vPDQuJPQzusxxeCNHnPPsT:htwqueMZYU
MD5:	BAED4E7AF33F77350D454B69317EE63B
SHA1:	2B598774F0C73850A36117F29EA8DAC57BE1C138
SHA-256:	671D65183C39E53FC1759C45B105A0FBE2D3A216E4099B66D5FCF274EA625E07
SHA-512:	E740997BDECB8F907A000D01BF3E823898A1289D1DBFAE5BF342D4BCB6FF09D258317955F4FD858FF6B239E5BA08E49E90CDEC06E24DABDB18C1CF2D8943590C
Malicious:	false
Preview:	{\rtf1\ansi\ansicpg1251\uc1\deff0\stshfdbch0\stshfloch37\stshfhich37\stshfbi37\deflang1049\deflangfe1049{\fonttbl{\f0\froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman{\\falt Times New Roman};}..{\f1\fswiss\fcharset204\fprq2{\\panose 020b0604020202020204}Arial;}{\f2\fmodern\fcharset204\fprq1{\\panose 02070309020205020404}Courier New;}{\f3\froman\fcharset2\fprq2{\\panose 05050102010706020507}Symbol;}..{\f10\fnil\fcharset2\fprq2{\\panose 05000000000000000000}Wingdings;}{\f37\fswiss\fcharset204\fprq2{\\panose 020f0502020204030204}Calibri;}{\f211\froman\fcharset0\fprq2 Times New Roman{\\falt Times New Roman};}..{\f209\froman\fcharset238\fprq2 Times New Roman CE{\\falt Times New Roman};}{\f212\froman\fcharset161\fprq2 Times New Roman Greek{\\falt Times New Roman};}{\f213\froman\fcharset162\fprq2 Times New Roman Tur{\\falt Times New Roman};}..{\f214\froman\fcharset177\fprq2 Times New Roman (Hebrew){\\falt Times New Roman};}{\f215\froman\fcharset178\fprq2 Time

C:\Program Files (x86)\LiteManager Pro - Server\English.lg

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	89220
Entropy (8bit):	3.469297258214741
Encrypted:	false
SSDEEP:	768:YvozCzKUNNfMnuQhgdXT0Z2BPshK+4aCWpQJ3OEInKDcbztlXnpQbbMv3PI:Yvoz4TXTI2pQCWOJvgXnpQbS3PI
MD5:	B1C96EF24061BF294CAC6C4C9CBF7757
SHA1:	5D1B1934091E257B5F1C69B13F5FC1E424348584
SHA-256:	20DB884523DA62C20F80B8A3BB71E11091B90A443B83C06D8FE2A1BBC00C1C33
SHA-512:	6E90562FD804F91DDADEF2310551063D34B859FF1CC6E58A41667E9CDA062DCA851C8455882EF47CF3E1A8EC21EBD9F0761F15E54174CC4A95427238CB39BA14
Malicious:	false
Preview:	..[._.s.y.s.t.e.m.].....l.a.n.g.u.a.g.e._.i.d.=.1.0.3.3.........[._.m.e.s.s.a.g.e.s.].....w.e.b._.s.i.t.e. .=. .h.t.t.p.:././.l.i.t.e.m.a.n.a.g.e.r...c.o.m./.....q.u.e.s.t.i.o.n. .=. .Q.u.e.s.t.i.o.n.....e.r.r.o.r. .=. .E.r.r.o.r.....i.n.f.o.r.m.a.t.i.o.n. .=. .I.n.f.o.r.m.a.t.i.o.n.....n.o.t.i.f.i.c.a.t.i.o.n. .=. .N.o.t.i.f.i.c.a.t.i.o.n.....f.m._.s.e.t.t.i.n.g.s._.u.n.a.b.l.e._.r.e.a.d._.c.o.n.f.i.g.u.r.a.t.i.o.n. .=. .C.a.n. .n.o.t. .r.e.a.d. .s.e.r.v.i.c.e. .c.o.n.f.i.g.u.r.a.t.i.o.n...\.n.;.R.e.i.n.s.t.a.l.l. .L.i.t.e.M.a.n.a.g.e.r. .s.e.r.v.i.c.e.?.....f.m._.s.e.t.t.i.n.g.s._.u.n.a.b.l.e._.s.e.t._.s.t.a.r.t.u.p._.m.o.d.e. .=. .C.a.n. .n.o.t. .s.e.t. .L.i.t.e.M.a.n.a.g.e.r. .S.e.r.v.e.r. .s.e.r.v.i.c.e. .s.t.a.r.t.u.p. .m.o.d.e.......f.m._.s.e.t.t.i.n.g.s._.u.n.a.b.l.e._.s.e.t._.s.t.a.r.t.u.p._.m.o.d.e._.r.e.s.t.a.r.t. .=. .C.a.n. .n.o.t. .s.e.t. .L.i.t.e.M.a.n.a.g.e.r. .S.e.r.v.e.r. .s.e.r.v.i.c.e. .s.t.a.r.t.u.p. .m.o.d.e...\.n.;.R.e.b.o.o.t. .s.y.s.t.e.m.,. .p.l.e.a.s.e.......

C:\Program Files (x86)\LiteManager Pro - Server\HookDrv.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	201728
Entropy (8bit):	6.3607488106285075
Encrypted:	false
SSDEEP:	3072:rmqdVRkbN1G3OKtVLqKc3IuQquARCASmShKJ:rmyTmNw3zqKcFLRs
MD5:	1D4F8CFC7BBF374CCC3AAE6045B2133D
SHA1:	802EDF0B0ED1D0305BCD6688EE3301366FEC1337
SHA-256:	C04885562F17BAEEFBCD2D4FC29F054EB8A66C44BD015750498C69A912D94C1F
SHA-512:	68643A30FEA87B2B61AF546F42BF32A25459152C1BCCE5A8A881714139CE828DFE4237874FF1E9CC3B78D6CDBEF7DD45C9F3459C3337D83693C704C274AFFF3E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: 0438.pdf.exe, Detection: malicious, Browse Filename: 0438.pdf.exe, Detection: malicious, Browse Filename: gBYz86HSwI.msi, Detection: malicious, Browse Filename: 0438.pdf.exe, Detection: malicious, Browse Filename: 0438.pdf.exe, Detection: malicious, Browse Filename: 0438.pdf.exe, Detection: malicious, Browse
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...\|..[.................\...........v............@.................................................................. ...................@...................@...G..................................................$................................text....S.......T.................. ..`.itext..D....p.......X.............. ..`.data...<............`..............@....bss....<Y...............................idata...............z..............@....didata.............................@....edata....... ......................@..@.rdata..E....0......................@..@.reloc...G...@...H..................@..B.rsrc....@.......@..................@..@....................................@..@........................................................

C:\Program Files (x86)\LiteManager Pro - Server\Lang\Taiwan.lg

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	61034
Entropy (8bit):	4.429529654892776
Encrypted:	false
SSDEEP:	768:nebbtdP4XFsh6HWiIZTYp7JtMLG54ttg2kGPyWtvQTznCKDMlV2f:ne3KOhTTocL8HnMlV2f
MD5:	7303B5AE0B8911CEB238DC01419695BE
SHA1:	22B89BDB8FAEC62BA3E66639E38E6271B593944A
SHA-256:	88155FB3F0E198AA4A24F9CFECBB83C5A4E081C6EA362BC50294410CB2FB5C50
SHA-512:	8AE802616AF60BAF214E254F6A55D312DC46B6E3F8BEE5F50E30E372FF38103776278B5FB07A562C2149EEA58107CB427A03B1629F72044AB69D3507E5DFAB15
Malicious:	false
Preview:	[._.s.y.s.t.e.m.].....l.a.n.g.u.a.g.e._.i.d.=.1.0.2.8.........[._.m.e.s.s.a.g.e.s.].....w.e.b._.s.i.t.e. .=. .h.t.t.p.:././.l.i.t.e.m.a.n.a.g.e.r...c.o.m./.....q.u.e.s.t.i.o.n. .=. .OUL.....e.r.r.o.r. .=. ./.......i.n.f.o.r.m.a.t.i.o.n. .=. ........n.o.t.i.f.i.c.a.t.i.o.n. .=. ....w....f.m._.s.e.t.t.i.n.g.s._.u.n.a.b.l.e._.r.e.a.d._.c.o.n.f.i.g.u.r.a.t.i.o.n. .=. .!q.l...S.g.RD}Ka.0\.n.;...e.[. .L.i.t.e.M.a.n.a.g.e.r. ..g.R?.....f.m._.s.e.t.t.i.n.g.s._.u.n.a.b.l.e._.s.e.t._.s.t.a.r.t.u.p._.m.o.d.e. .=. .!q.l-..[ .L.i.t.e.M.a.n.a.g.e.r. .:O.ghV.g.R_U.R!j._.0....f.m._.s.e.t.t.i.n.g.s._.u.n.a.b.l.e._.s.e.t._.s.t.a.r.t.u.p._.m.o.d.e._.r.e.s.t.a.r.t. .=. .!q.l-..[ .L.i.t.e.M.a.n.a.g.e.r. .:O.ghV.g.R_U.R!j._.0\.n.;....e.._j.\|q}.0....f.m._.s.e.t.t.i.n.g.s._.r.e.s.t.a.r.t._.s.e.r.v.i.c.e._.t.o._.a.p.p.l.y. .=. ....e_U.R .L.M. .:O.ghV.a(u.z._.NWY(u...f.0....f.m._.s.e.c.u.r.i.t.y._.f.o.r.c.e._.g.u.e.s.t. .=. .7_6R.O.(Wdk.\|q}.N-..[.....asTW.@b.g.}..O(u.....S.g.O.X[.S.kP..0 .!q.l.O(u.07_

C:\Program Files (x86)\LiteManager Pro - Server\Lang\Turkish.lg

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	58794
Entropy (8bit):	3.642324420313977
Encrypted:	false
SSDEEP:	768:D+XPobz4qFlRiiXc0HwgHSSxnrKT7nke7GShFBy/x97fuTLY57aC7I/Fj:yPQMw1ZOT7kef1y/X7fuTq4j
MD5:	606DC375E898D7221CCB7CEB8F7C686B
SHA1:	26DCF93876C89283623B8150C1B79EDB24B6A7EC
SHA-256:	F442E440580EA35040E35BF1D85A118E7C182FDE0B9BA2A3C1816DEAB5F822BB
SHA-512:	9FBC42165B51A2020D2DA2FFE33287A4F3AA33639126813B290D329D47C4F4DA8F297A47AF3C1F63AF6F9E1BA47ACE840BC1660D603E17589E5DB6DDA0E1E5B1
Malicious:	false
Preview:	..[._.s.y.s.t.e.m.].....l.a.n.g.u.a.g.e._.i.d.=.1.0.5.5.........[._.m.e.s.s.a.g.e.s.].....w.e.b._.s.i.t.e. .=. .h.t.t.p.:././.l.i.t.e.m.a.n.a.g.e.r...c.o.m./.....q.u.e.s.t.i.o.n. .=. .S.o.r.u.....e.r.r.o.r. .=. .H.a.t.a.....i.n.f.o.r.m.a.t.i.o.n. .=. .B.i.l.g.i.....n.o.t.i.f.i.c.a.t.i.o.n. .=. .B.i.l.d.i.r.i.m.....f.m._.s.e.t.t.i.n.g.s._.u.n.a.b.l.e._.r.e.a.d._.c.o.n.f.i.g.u.r.a.t.i.o.n. .=. .H.i.z.m.e.t. .y.a.p.1.l.a.n.d.1.r.m.a.s.1. .o.k.u.n.a.m.1.y.o.r...\.n.;.L.i.t.e.M.a.n.a.g.e.r. .h.i.z.m.e.t.i.n.i. .y.e.n.i.d.e.n. .y...k.l.e.m.e.k. .m.i. .i.s.t.i.y.o.r.s.u.n.u.z.?.....f.m._.s.e.t.t.i.n.g.s._.u.n.a.b.l.e._.s.e.t._.s.t.a.r.t.u.p._.m.o.d.e. .=. .L.i.t.e.M.a.n.a.g.e.r. .h.i.z.m.e.t. .b.a._.l.a.n.g.1... .m.o.d.u.n.u. .a.y.a.r.l.a.y.a.m.1.y.o.r.......f.m._.s.e.t.t.i.n.g.s._.u.n.a.b.l.e._.s.e.t._.s.t.a.r.t.u.p._.m.o.d.e._.r.e.s.t.a.r.t. .=. .L.i.t.e.M.a.n.a.g.e.r. .h.i.z.m.e.t. .b.a._.l.a.n.g.1... .m.o.d.u.n.u. .a.y.a.r.l.a.y.a.m.1.y.o.r...\.n.;.S.i.s.t.e.m.i. .y.e.n.i.d.e.n. .b.a._.l.

C:\Program Files (x86)\LiteManager Pro - Server\Lang\Ukrainian.lg

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Unicode text, UTF-16, little-endian text, with very long lines (305), with CRLF line terminators
Category:	dropped
Size (bytes):	87912
Entropy (8bit):	4.303374267443204
Encrypted:	false
SSDEEP:	768:VUlHxa/yEOYEJNHWjlUu1pZ26ER2nkUTbfk74Q:aNxWREb4lUu1P29R2JbfC4Q
MD5:	3FC082E8F516EAD9FC26AC01E737F9EF
SHA1:	3B67EBCE4400DDCF6B228E5668F3008561FB8F21
SHA-256:	3DC0CEAE11F445B57B17B7C35A90B5133E313CF6B61550AB418252C5B8089C99
SHA-512:	9A9D20AF2F8C27056F58AB5A9C687F5124CE5F6D563E396C9558331FB8BE48E88E148B1FDC548A5EBDEDB451E3D89F2F96856F3BBFD695691D5687599F376421
Malicious:	false
Preview:	..[._.s.y.s.t.e.m.].....l.a.n.g.u.a.g.e._.i.d. .=. .1.0.5.8.........[._.m.e.s.s.a.g.e.s.].....w.e.b._.s.i.t.e. .=. .h.t.t.p.:././.l.i.t.e.m.a.n.a.g.e.r...r.u./.....q.u.e.s.t.i.o.n. .=. ...8.B.0.=.=.O.....e.r.r.o.r. .=. ...>.<.8.;.:.0.....i.n.f.o.r.m.a.t.i.o.n. .=. ...=.D.>.@.<.0.F.V.O.....n.o.t.i.f.i.c.a.t.i.o.n. .=. ...>.2.V.4.>.<.;.5.=.=.O.....f.m._.s.e.t.t.i.n.g.s._.u.n.a.b.l.e._.r.e.a.d._.c.o.n.f.i.g.u.r.a.t.i.o.n. .=. ...5.<.>.6.;.8.2.>. .?.@.>.G.8.B.0.B.8. .:.>.=.D.V.3.C.@.0.F.V.N. .A.;.C.6.1.8...\.n.;...5.@.5.2.A.B.0.=.>.2.8.B.8. .L.i.t.e.M.a.n.a.g.e.r. .S.e.r.v.e.r.?.....f.m._.s.e.t.t.i.n.g.s._.u.n.a.b.l.e._.s.e.t._.s.t.a.r.t.u.p._.m.o.d.e. .=. ...5.<.>.6.;.8.2.>. .2.A.B.0.=.>.2.8.B.8. .@.5.6.8.<. .7.0.?.C.A.:.C. .A.;.C.6.1.8. .L.i.t.e.M.a.n.a.g.e.r. .S.e.r.v.e.r.......f.m._.s.e.t.t.i.n.g.s._.u.n.a.b.l.e._.s.e.t._.s.t.a.r.t.u.p._.m.o.d.e._.r.e.s.t.a.r.t. .=. ...5.<.>.6.;.8.2.>. .2.A.B.0.=.>.2.8.B.8. .@.5.6.8.<. .7.0.?.C.A.:.C. .A.;.C.6.1.8. .L.i.t.e.M.a.n.a.g.e.r. .S.e.r.v.e.r.

C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6307408
Entropy (8bit):	6.5944937257467116
Encrypted:	false
SSDEEP:	98304:NwiA/GmKEt3LQ7V8z3uHWkd49GMdqOxaB:NOGmKEt31kd2dqwaB
MD5:	63D0964168B927D00064AA684E79A300
SHA1:	B4B9B0E3D92E8A3CBE0A95221B5512DED14EFB64
SHA-256:	33D1A34FEC88CE59BEB756F5A274FF451CAF171A755AAE12B047E678929E8023
SHA-512:	894D8A25E9DB3165E0DAAE521F36BBD6F9575D4F46A2597D13DEC8612705634EFEA636A3C4165BA1F7CA3CDC4DC7D4542D0EA9987DE10D2BC5A6ED9D6E05AECB
Malicious:	true
Yara Hits:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......f..................C..F........C.......C...@.......................... i.......`..........@................... N.......M..A...@T...............`.P"...PN.<............................@N.......................M.......N......................text.....C.......C................. ..`.itext...0....C..2....C............. ..`.data... 3....C..4....C.............@....bss........0E..........................idata...A....M..B....E.............@....didata.......N......LE.............@....edata....... N......ZE.............@..@.tls....X....0N..........................rdata..]....@N......\E.............@..@.reloc..<....PN......^E.............@..B.rsrc........@T......DK.............@..@............. i.......`.............@..@................

C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	7753808
Entropy (8bit):	6.615075046955521
Encrypted:	false
SSDEEP:	98304:D4/WZQ7lc63BJGS1VFeIEll251o7+YcMBk2VVyN/RTfCAFIqOx9N:DXQ7SIEXeMBk2V4N/Nq2Iqw9N
MD5:	F3D74B072B9697CF64B0B8445FDC8128
SHA1:	8408DA5AF9F257D12A8B8C93914614E9E725F54C
SHA-256:	70186F0710D1402371CE2E6194B03D8A153443CEA5DDB9FC57E7433CCE96AE02
SHA-512:	004054EF8CDB9E2FEFC3B7783574BFF57D6D5BF9A4624AD88CB7ECCAE29D4DFD2240A0DC60A14480E6722657132082332A3EC3A7C49D37437644A31E59F551AF
Malicious:	true
Yara Hits:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...w#.f.................ZU... ......qU.......U...@.......................... ........v..........@...................._......`_..K....g.. ............v.P"...._.4............................._..................... m_.\|....._......................text....&U......(U................. ..`.itext..$1...@U..2...,U............. ..`.data....@....U..B...^U.............@....bss....0.....V..........................idata...K...`_..L....V.............@....didata......._.......V.............@....edata........_.......V.............@..@.tls....`....._..........................rdata..]....._.......V.............@..@.reloc..4....._.......V.............@..B.rsrc.... ....g.. ....^.............@..@............. ........v.............@..@................

C:\Program Files (x86)\LiteManager Pro - Server\ROMwln.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	999944
Entropy (8bit):	6.626732213066839
Encrypted:	false
SSDEEP:	12288:SA9+TVJdg0YMgqAahyv0jKdTq4lrBhqSq/rt8VwGFrt:SRho0lgqA6yvnrBhq/rQDt
MD5:	ED32E23322D816C3FE2FC3D05972689E
SHA1:	5EEA702C9F2AC0A1AADAE25B09E7983DA8C82344
SHA-256:	7F33398B98E225F56CD287060BEFF6773ABB92404AFC21436B0A20124919FE05
SHA-512:	E505265DD9D88B3199EB0D4B7D8B81B2F4577FABD4271B3C286366F3C1A58479B4DC40CCB8F0045C7CD08FD8BF198029345EEF9D2D2407306B73E5957AD59EDF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...`.-\.................J...........X.......`....@.................................................................. ...................@...........0.......@.. O...................................................................................text...0?.......@.................. ..`.itext..8....P.......D.............. ..`.data....:...`...<...N..............@....bss.....]...............................idata..............................@....didata.............................@....edata....... ......................@..@.rdata..E....0......................@..@.reloc.. O...@...P..................@..B.rsrc....@.......@..................@..@.....................0..............@..@........................................................

C:\Program Files (x86)\LiteManager Pro - Server\Russian.lg

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	94772
Entropy (8bit):	4.284840986247552
Encrypted:	false
SSDEEP:	768:r1kyTyZFOTb6QeZGJXYbFAMrKARuZk7FRwZoFTa2n:rn+2iZGhYbK4KARpAoFTa2n
MD5:	0E204FABE68B4B65ED5E0834651FB732
SHA1:	B338A6E54AA18F3F8A573580520F16C74A51F3D2
SHA-256:	302373D81F0AE15589206420CB01A266804C9FD1C1FF0D6E09CE6BA3FEF92B64
SHA-512:	AAD76F6A76DC693D959389CE471BC585D0DA72737FED99F42F219FDC7C71617C00E8003A467092E12820A359D672C6FB80D99772F3F6433923B2ABB7EEA40F08
Malicious:	false
Preview:	..[._.s.y.s.t.e.m.].....l.a.n.g.u.a.g.e._.i.d.=.1.0.4.9.........[._.m.e.s.s.a.g.e.s.].....w.e.b._.s.i.t.e. .=. .h.t.t.p.:././.l.i.t.e.m.a.n.a.g.e.r...r.u./.....q.u.e.s.t.i.o.n. .=. ...>.?.@.>.A.....e.r.r.o.r. .=. ...H.8.1.:.0.....i.n.f.o.r.m.a.t.i.o.n. .=. ...=.D.>.@.<.0.F.8.O.....n.o.t.i.f.i.c.a.t.i.o.n. .=. ...?.>.2.5.I.5.=.8.5.....f.m._.s.e.t.t.i.n.g.s._.u.n.a.b.l.e._.r.e.a.d._.c.o.n.f.i.g.u.r.a.t.i.o.n. .=. ...5.2.>.7.<.>.6.=.>. .?.@.>.G.8.B.0.B.L. .:.>.=.D.8.3.C.@.0.F.8.N. .A.;.C.6.1.K...\.n.;...5.@.5.C.A.B.0.=.>.2.8.B.L. .L.i.t.e.M.a.n.a.g.e.r. .S.e.r.v.e.r.?.....f.m._.s.e.t.t.i.n.g.s._.u.n.a.b.l.e._.s.e.t._.s.t.a.r.t.u.p._.m.o.d.e. .=. ...5.2.>.7.<.>.6.=.>. .C.A.B.0.=.>.2.8.B.L. .@.5.6.8.<. .7.0.?.C.A.:.0. .A.;.C.6.1.K. .L.i.t.e.M.a.n.a.g.e.r. .S.e.r.v.e.r.......f.m._.s.e.t.t.i.n.g.s._.u.n.a.b.l.e._.s.e.t._.s.t.a.r.t.u.p._.m.o.d.e._.r.e.s.t.a.r.t. .=. ...5.2.>.7.<.>.6.=.>. .C.A.B.0.=.>.2.8.B.L. .@.5.6.8.<. .7.0.?.C.A.:.0. .A.;.C.6.1.K. .L.i.t.e.M.a.n.a.g.e.r. .S.e.r.v.e.r...\.n.

C:\Program Files (x86)\LiteManager Pro - Server\files\ROMServer.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	7752272
Entropy (8bit):	6.615186281886958
Encrypted:	false
SSDEEP:	98304:y4/WZQ7lc63BJGS1VFeIEll251o7+YcMBk2VVyN/RTfCEFIqOxJn:yXQ7SIEXeMBk2V4N/NqiIqwJn
MD5:	84FB34E529BEDE393A3F604EAA8137B2
SHA1:	195EA03B7BD086454A13C0D8357E0A9E447D9EC9
SHA-256:	1E396C4066AC8F421A54893442A0D76C4F8D4146E63825D67DFC0DA782E73EE5
SHA-512:	A48A80D62E588667B4C891CDED279BABFFA5FB4FDF092F345212F81D29A9ACAA06E6DB27B49DC601909409A3C82AA9272BCDF90D0AE1738E83E80D9FCA4D93E6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......f.................ZU... ......qU.......U...@.......................... ........v..........@...................._......`_..K....g..............(v.P"...._.4............................._..................... m_.\|....._......................text....&U......(U................. ..`.itext..$1...@U..2...,U............. ..`.data....@....U..B...^U.............@....bss....0.....V..........................idata...K...`_..L....V.............@....didata......._.......V.............@....edata........_.......V.............@..@.tls....`....._..........................rdata..]....._.......V.............@..@.reloc..4....._.......V.............@..B.rsrc.........g.......^.............@..@............. .......(v.............@..@................

C:\Program Files (x86)\LiteManager Pro - Server\files\ROMViewer.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11361360
Entropy (8bit):	6.496049600782297
Encrypted:	false
SSDEEP:	98304:AshiRp5hPI7N9sSA5wbZXJOu/0uOXZYfmQYanSjS+cWuNOlQpgfYLyPsd+QgBBP5:Al5hPwgvyAjDjS+igfgym+bHJxmK
MD5:	B0E355EC3453C8FFAEE08CD4257E96F2
SHA1:	0FA023CA8F1C1ECDADDE3DD3BD551870C2D965E2
SHA-256:	60248BA026064B116E4F94020DABB74DF519F5B4C41379CA19A38D725692CA8E
SHA-512:	B6004F83FD78EED84BF21611EFA45F2FFADF3625E0A2FDCDAE531B4734A4B886EBFE5EBE990DA42302B7368282D83DFFEF19E71DA8EC4C155EE5C8619AD028DD
Malicious:	false
Yara Hits:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Program Files (x86)\LiteManager Pro - Server\files\ROMViewer.exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......f..................v..67.......v...... v...@..........................0...................@...................p...........L...p....+..........:..P"...................................................................`.......................text.....u.......u................. ..`.itext...6....u..8....u............. ..`.data....R... v..T....v.............@....bss.........w..........................idata...L.......N...Xw.............@....didata......`........w.............@....edata.......p........w.............@..@.tls....`................................rdata..].............w.............@..@.reloc................w.............@..B.rsrc.....+..p....+.................@..@.............0.......:..............@..@................

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LiteManager Pro - Server\Settings for LM-Server.lnk

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Thu Aug 22 18:41:10 2024, mtime=Wed Dec 25 15:09:08 2024, atime=Thu Aug 22 18:41:10 2024, length=7753808, window=hide
Category:	dropped
Size (bytes):	2098
Entropy (8bit):	3.8295399231815748
Encrypted:	false
SSDEEP:	48:8gddOwHYuLwZd5Y+d5YsP5qoZkmrSUp8JWqoZkmRBl4iN:8g3Yi9O5qoZbcJWqoZbRT4iN
MD5:	F6F03386EB0E8917A4EB213EC5AA2DBE
SHA1:	8324A690A79C195695FB0FB5226948AEB5E2B60E
SHA-256:	4BC2E2E055CD7902A9AE9C7B70A205AD213F3331AF067F011C6309686CA5A101
SHA-512:	1142AE9562383EB8A0E3210AF1844524F9CCD25D05DAF14AE2E3C9BA530CD2AA1A47E7A186882D6D2AB70277A823C9A8BECC96B9B71E93E1FE9B60EDCE9DC4B2
Malicious:	false
Preview:	L..................F.@.. ......=....z..T.V.....=....PPv..........................P.O. .:i.....+00.../C:\.....................1......Y...PROGRA~2..\|.......:...Y....................R.....P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....v.1......Y...LITEMA~1..^......Y..Y..........................L.i.t.e.M.a.n.a.g.e.r. .P.r.o. .-. .S.e.r.v.e.r.....d.2.PPv..Y%. .ROMSER~1.EXE..H.......Y%..Y%.*.........................R.O.M.S.e.r.v.e.r...e.x.e.......l...............-.......k....................C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe..L.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.L.i.t.e.M.a.n.a.g.e.r. .P.r.o. .-. .S.e.r.v.e.r.\.R.O.M.S.e.r.v.e.r...e.x.e.0.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.L.i.t.e.M.a.n.a.g.e.r. .P.r.o. .-. .S.e.r.v.e.r.\.../.c.o.n.f.i.g.n.C.:.\.W.i.n.d.o.w.s.\.I.n.s.t.a.l.l.e.r.\.{.7.1.F.F.A.4.7.5.-.2.4.D.5.-.4.4.F.B.-.A.5.1.F.-.3.9.B.6.9.9.E.3.D.8.2.C.}.\.c.o.n.f.i.g

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LiteManager Pro - Server\Start LM-Server.lnk

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, ctime=Sun Dec 31 23:25:52 1600, mtime=Sun Dec 31 23:25:52 1600, atime=Sun Dec 31 23:25:52 1600, length=0, window=hide
Category:	dropped
Size (bytes):	1878
Entropy (8bit):	3.180022631061714
Encrypted:	false
SSDEEP:	24:8NqdOeK5Jd5Yc/d5YcCP+MTyjvKDDTEVS7ky/4WTyjvKDDTEcUGxy:8wdOn5Jd5Y+d5YcCP5q2DT2S0Wq2DTM
MD5:	4FA9A649BCBCCE9B0F6FF515284D9F58
SHA1:	7B3B20DF66298B4FCC3D64B5FFF300340490109B
SHA-256:	B9169D8C1ABD09A3EB683FB03AF3E43CA5D23B11CDE85B351B6B35AE90B98F79
SHA-512:	49531CB7ED725193D56178A98E27887AF22C6056B3C452D34BEAEDFA037D40288A5F7FFC49C13B8BE30A05D2EF206007354589011EF077F27B77F650BED66CD4
Malicious:	false
Preview:	L..................F.@...........................................................P.O. .:i.....+00.../C:\...................v.1...........Program Files (x86).T.......................................P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)..."...1...........LiteManager Pro - Server..^.......................................L.i.t.e.M.a.n.a.g.e.r. .P.r.o. .-. .S.e.r.v.e.r...(.d.2...........ROMServer.exe.H..............*.........................R.O.M.S.e.r.v.e.r...e.x.e.......L.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.L.i.t.e.M.a.n.a.g.e.r. .P.r.o. .-. .S.e.r.v.e.r.\.R.O.M.S.e.r.v.e.r...e.x.e.0.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.L.i.t.e.M.a.n.a.g.e.r. .P.r.o. .-. .S.e.r.v.e.r.\.../.s.t.a.r.t.n.C.:.\.W.i.n.d.o.w.s.\.I.n.s.t.a.l.l.e.r.\.{.7.1.F.F.A.4.7.5.-.2.4.D.5.-.4.4.F.B.-.A.5.1.F.-.3.9.B.6.9.9.E.3.D.8.2.C.}.\.R.O.M.S.e.r.v.e.r...e.x.e._.9.D.0.9.B.2.B.C.2.5.A.2.4.1.4.C.B.D.8.4.8.E.2.B.7.5.8.9.8.6.7.6...e.x.e.........%SystemRoot%\Installer\{71F

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LiteManager Pro - Server\Stop LM-Server.lnk

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Thu Aug 22 18:41:10 2024, mtime=Wed Dec 25 15:09:08 2024, atime=Thu Aug 22 18:41:10 2024, length=7753808, window=hide
Category:	dropped
Size (bytes):	2090
Entropy (8bit):	3.813475095244305
Encrypted:	false
SSDEEP:	48:8gddOwHYuLwZd5Y+d5Ys5qcxFWT84SslWqcxFWT84Bl4iN:8g3Yi9s5qcxYT8SWqcxYT84T4iN
MD5:	53AD1F8CA538A4506F8152941CAAEC44
SHA1:	B5410E8AC9CA0D18AC98B849C7F95BA92870C24F
SHA-256:	442DA936F132E349772A5B33D0ED93E1F4C20500EED88A1906C55DAB6509CB6C
SHA-512:	7248F5E60A0D0A1BDCA7A4530237D3DDD7A9FA349CD56115C1DEC03B5D3F62123E80C50F60F3D73B6C36E60E14479E6E9F5079DBD6A3A37C9F84DE7F2EE5E433
Malicious:	false
Preview:	L..................F.@.. ......=....z..T.V.....=....PPv..........................P.O. .:i.....+00.../C:\.....................1......Y...PROGRA~2..\|.......:...Y....................R.....P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....v.1......Y...LITEMA~1..^......Y..Y..........................L.i.t.e.M.a.n.a.g.e.r. .P.r.o. .-. .S.e.r.v.e.r.....d.2.PPv..Y%. .ROMSER~1.EXE..H.......Y%..Y%.*.........................R.O.M.S.e.r.v.e.r...e.x.e.......l...............-.......k....................C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe..L.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.L.i.t.e.M.a.n.a.g.e.r. .P.r.o. .-. .S.e.r.v.e.r.\.R.O.M.S.e.r.v.e.r...e.x.e.0.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.L.i.t.e.M.a.n.a.g.e.r. .P.r.o. .-. .S.e.r.v.e.r.\.../.s.t.o.p.l.C.:.\.W.i.n.d.o.w.s.\.I.n.s.t.a.l.l.e.r.\.{.7.1.F.F.A.4.7.5.-.2.4.D.5.-.4.4.F.B.-.A.5.1.F.-.3.9.B.6.9.9.E.3.D.8.2.C.}.\.s.t.o.p._.s.e.r

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LiteManager Pro - Server\Uninstall LiteManager - Server.lnk

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has command line arguments, Icon number=0, Archive, ctime=Thu Mar 23 15:18:06 2017, mtime=Thu Mar 23 15:18:06 2017, atime=Thu Mar 23 15:18:06 2017, length=73216, window=hide
Category:	dropped
Size (bytes):	1884
Entropy (8bit):	3.7601515531485012
Encrypted:	false
SSDEEP:	24:8Witkp7Q19iNAMwB+sHyjv/+MTyjvejIKZDUHwGS7ke4WTyjvejIKZDUHwI6yflj:8WX29iGBHOn5qmjlt6ScWqmjlt6l49u
MD5:	F42665A1662D9A8D90B3496DA9C26F7C
SHA1:	10BC5FA2343CE604DC08E515D7174E4396F7D4AF
SHA-256:	E58D847961F9536597E76F9BC265AC314E0955CD41493AC800E12C9C0DA6BFDC
SHA-512:	033994DA5E395F3CEB62F1563EFF6CAB6526F53BAB643E25156B0BE673F9F618AB0C03F1D5136B85FC232BA7F04DFA77E0D5FC92BE8AFC309136D339BAB88E18
Malicious:	false
Preview:	L..................F.@.. ....:......:......:.............................5....P.O. .:i.....+00.../C:\...................R.1......WD...Windows.<.......:...WD....p.....................W.i.n.d.o.w.s.....V.1......Y....SysWOW64..>.......:...Y.....".....................S.y.s.W.O.W.6.4.....^.2.....wJD. .msiexec.exe.D......wJD.wJD.*....[....................m.s.i.e.x.e.c...e.x.e.......N...............-.......M....................C:\Windows\SysWOW64\msiexec.exe........\.....\.....\.....\.....\.....\.W.i.n.d.o.w.s.\.S.y.s.W.O.W.6.4.\.m.s.i.e.x.e.c...e.x.e.)./.x. .{.7.1.F.F.A.4.7.5.-.2.4.D.5.-.4.4.F.B.-.A.5.1.F.-.3.9.B.6.9.9.E.3.D.8.2.C.}.s.C.:.\.W.i.n.d.o.w.s.\.I.n.s.t.a.l.l.e.r.\.{.7.1.F.F.A.4.7.5.-.2.4.D.5.-.4.4.F.B.-.A.5.1.F.-.3.9.B.6.9.9.E.3.D.8.2.C.}.\.U.N.I.N.S.T._.U.n.i.n.s.t.a.l.l._.L._.7.8.A.A.5.B.6.6.6.2.5.1.4.D.9.4.A.8.4.7.D.6.C.6.0.3.A.F.0.8.9.5...e.x.e.........%SystemRoot%\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\UNINST_Uninstall_L_78AA5B6662514D94A847D6C603AF0895.exe

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG

Download File

Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
File Type:	ASCII text
Category:	modified
Size (bytes):	292
Entropy (8bit):	5.2155917529962075
Encrypted:	false
SSDEEP:	6:EdF1+q2PP2nKuAl9OmbnIFUt8J5Zmw+p3VkwOP2nKuAl9OmbjLJ:EHAvWHAahFUt8T/+357HAaSJ
MD5:	77E2BF0AEF73D33D25AB350D95C5246F
SHA1:	648470022807769E2088A439229D59234BBF6811
SHA-256:	DC2EED685F096CEF72D6536096FB75EBB2D0BEE46287838F383988F0FB728129
SHA-512:	21393E2CBA6314770E19FB6EFDA82DFE79E2E54E70D7C05A34BD9B426407F8BD1D08F445DA1317B809F4B705283CB7DC515E5DDB4953309C125E9DF9593EF47E
Malicious:	false
Preview:	2024/12/25-11:06:14.528 4068 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/12/25-11:06:14.531 4068 Recovering log #3.2024/12/25-11:06:14.533 4068 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	292
Entropy (8bit):	5.2155917529962075
Encrypted:	false
SSDEEP:	6:EdF1+q2PP2nKuAl9OmbnIFUt8J5Zmw+p3VkwOP2nKuAl9OmbjLJ:EHAvWHAahFUt8T/+357HAaSJ
MD5:	77E2BF0AEF73D33D25AB350D95C5246F
SHA1:	648470022807769E2088A439229D59234BBF6811
SHA-256:	DC2EED685F096CEF72D6536096FB75EBB2D0BEE46287838F383988F0FB728129
SHA-512:	21393E2CBA6314770E19FB6EFDA82DFE79E2E54E70D7C05A34BD9B426407F8BD1D08F445DA1317B809F4B705283CB7DC515E5DDB4953309C125E9DF9593EF47E
Malicious:	false
Preview:	2024/12/25-11:06:14.528 4068 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/12/25-11:06:14.531 4068 Recovering log #3.2024/12/25-11:06:14.533 4068 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old~RF69e947.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	292
Entropy (8bit):	5.2155917529962075
Encrypted:	false
SSDEEP:	6:EdF1+q2PP2nKuAl9OmbnIFUt8J5Zmw+p3VkwOP2nKuAl9OmbjLJ:EHAvWHAahFUt8T/+357HAaSJ
MD5:	77E2BF0AEF73D33D25AB350D95C5246F
SHA1:	648470022807769E2088A439229D59234BBF6811
SHA-256:	DC2EED685F096CEF72D6536096FB75EBB2D0BEE46287838F383988F0FB728129
SHA-512:	21393E2CBA6314770E19FB6EFDA82DFE79E2E54E70D7C05A34BD9B426407F8BD1D08F445DA1317B809F4B705283CB7DC515E5DDB4953309C125E9DF9593EF47E
Malicious:	false
Preview:	2024/12/25-11:06:14.528 4068 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/12/25-11:06:14.531 4068 Recovering log #3.2024/12/25-11:06:14.533 4068 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Visited Links

Download File

Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.008898238653846898
Encrypted:	false
SSDEEP:	3:ImtVnM1xVlt/rt/l3Sxdlt4dV1gt/lop:IiV0xlzaxdX4m1lo
MD5:	3B8BF2F369CA7ABDF0636EE15DDEF161
SHA1:	4B82D483B79B555C62AA17F31F24F43C38F2C80F
SHA-256:	100201408FDCFA835C8699C6C2FCE748C5C3844C386053F9AA7CAD622373BFCA
SHA-512:	457D92EA15FA528E7BE3ED8136A267BD08A4D7866FDD7C353CFEB898F896983B40BB48156DC25D5E00EC118C6309337F3A9344226D1635F94D7F4A122D3DD87E
Malicious:	false
Preview:	VLnk.....?......LhXJ ...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ConnectorIcons\icon-241225160613Z-260.bmp

Download File

Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
File Type:	PC bitmap, Windows 3.x format, 107 x -152 x 32, cbSize 65110, bits offset 54
Category:	dropped
Size (bytes):	65110
Entropy (8bit):	1.3323487663569655
Encrypted:	false
SSDEEP:	96:EA/2SxICG/fi6vB/2TxVCG/di6vB/2TxVCG/di6vB/2TxVCG/di6vB/2TxVCG/dn:a2sZElTElTElTElTElTElTElTEll
MD5:	428B72B9BFDB6192E56742AABD9F9639
SHA1:	BB66319303FCC7139F072BDA29268AC76645744B
SHA-256:	27E97FA50AB918372CE9A9D910F38B3F65ED3E13EB45CA2FD41E3202B8C6A499
SHA-512:	B14AE9EB0A304510B5C192F4B4DED451B9238800C62BD370E4947CD737D510157FBB1EB183E515B7D129AD75C4E6593DA6A51A52DC01DBC6F7B404C77CC6850D
Malicious:	false
Preview:	BMV.......6...(...k...h..... ...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ConnectorIcons\icon-241225160614Z-280.bmp

Download File

Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
File Type:	PC bitmap, Windows 3.x format, 107 x -152 x 32, cbSize 65110, bits offset 54
Category:	dropped
Size (bytes):	65110
Entropy (8bit):	1.3323487663569655
Encrypted:	false
SSDEEP:	96:EA/2SxICG/fi6vB/2TxVCG/di6vB/2TxVCG/di6vB/2TxVCG/di6vB/2TxVCG/dn:a2sZElTElTElTElTElTElTElTEll
MD5:	428B72B9BFDB6192E56742AABD9F9639
SHA1:	BB66319303FCC7139F072BDA29268AC76645744B
SHA-256:	27E97FA50AB918372CE9A9D910F38B3F65ED3E13EB45CA2FD41E3202B8C6A499
SHA-512:	B14AE9EB0A304510B5C192F4B4DED451B9238800C62BD370E4947CD737D510157FBB1EB183E515B7D129AD75C4E6593DA6A51A52DC01DBC6F7B404C77CC6850D
Malicious:	false
Preview:	BMV.......6...(...k...h..... ...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache.bin

Download File

Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
File Type:	data
Category:	dropped
Size (bytes):	72643
Entropy (8bit):	5.393779678652009
Encrypted:	false
SSDEEP:	768:PCbTjMYOpdyVFWqnPvBRSiRkTIVzY3b6u2MWHDKXUHYyu:AlOpdyVFWcPvBBRkTIdY3+6UHK
MD5:	B889EFCBB7496AF798BD0C0A6F3BCD42
SHA1:	247B16179AA92A4055BEBBFC28F1C102EFBFC8C1
SHA-256:	400AE91567754B29DE11F595D8E4C55A6695467E12A393BACD35F46B050D1A44
SHA-512:	20DFA104DCBF30593924DA35348757FC99F635929F046014AFC6BA9FDE89CAC6FB0EA714698CA9107CB1398712DDC78778B1EA56E1B7216204039A1B197A899A
Malicious:	false
Preview:	4.458.88.FID.2:o:........:F:AgencyFB-Reg.P:Agency FB.L:$.........................."F:Agency FB.#.94.FID.2:o:........:F:AgencyFB-Bold.P:Agency FB Bold.L:%.........................."F:Agency FB.#.82.FID.2:o:........:F:Algerian.P:Algerian.L:$..........................RF:Algerian.#.85.FID.2:o:........:F:Aparajita.P:Aparajita.L:&.........................."F:Aparajita.#.99.FID.2:o:........:F:Aparajita-Italic.P:Aparajita Italic.L:&.........................."F:Aparajita.#.95.FID.2:o:........:F:Aparajita-Bold.P:Aparajita Bold.L:&.........................."F:Aparajita.#.108.FID.2:o:........:F:Aparajita-BoldItalic.P:Aparajita Bold Italic.L:&.........................."F:Aparajita.#.93.FID.2:o:........:F:ArialNarrow.P:Arial Narrow.L:$.........................."F:Arial Narrow.#.75.FID.2:o:........:F:ArialMT.P:Arial.L:$.........................."F:Arial.#.89.FID.2:o:........:F:Arial-ItalicMT.P:Arial Italic.L:$.........................."F:Arial.#.85.FID.2:o:........:F:Arial-BoldMT.P:Arial Bold.L:$....

C:\Users\user\AppData\Local\Temp\doc.pdf

Download File

Process:	C:\Users\user\Desktop\0442.pdf.exe
File Type:	PDF document, version 1.7, 6 pages
Category:	dropped
Size (bytes):	85137
Entropy (8bit):	7.7513343990244366
Encrypted:	false
SSDEEP:	1536:eyetDLuxUTpyWbzUGW7EmvP95imdqYKq6i97idLfnk:eyetMk1tCPfimdsq6ididL8
MD5:	17A9D7D59ED8076A38B9E48533A01A10
SHA1:	1EC63D0BECCCBCE15277A3C227E787131C1E8F74
SHA-256:	631C4D8C4D0DE76F18712484358E532BE32F2FA2F92D7FAB026406C346ACBCDA
SHA-512:	E3C8AD153864482AC0BDE7445DAFFF1DAC9DCBC48D83C99169388C2EEE832EDDB02B4A2553F60D81E93674F76880544F4C10F05098830E7931518D14DF1DCFED
Malicious:	false
Preview:	%PDF-1.7..%......1 0 obj..<</Type/Catalog/Pages 2 0 R/Lang(ru) /StructTreeRoot 37 0 R/MarkInfo<</Marked true>>/Metadata 351 0 R/ViewerPreferences 352 0 R>>..endobj..2 0 obj..<</Type/Pages/Count 6/Kids[ 3 0 R 26 0 R 28 0 R 30 0 R 32 0 R 34 0 R] >>..endobj..3 0 obj..<</Type/Page/Parent 2 0 R/Resources<</Font<</F1 5 0 R/F2 12 0 R/F3 14 0 R/F4 19 0 R/F5 24 0 R>>/ExtGState<</GS10 10 0 R/GS11 11 0 R>>/ProcSet[/PDF/Text/ImageB/ImageC/ImageI] >>/MediaBox[ 0 0 595.32 841.92] /Contents 4 0 R/Group<</Type/Group/S/Transparency/CS/DeviceRGB>>/Tabs/S/StructParents 0>>..endobj..4 0 obj..<</Filter/FlateDecode/Length 1237>>..stream..x..Ko.6.....w.1)`...C.....Z4...r.z.!..F....J...).+.`.k...>....o4....._........V..<>.7_..>.=.T.6....h3...A.e+..U`...o_..O?.......{P....m..>m..`5..g......{w.F=......!L.w.....6.iLK.._..O.]...a.S..F...I....~.x.nL......}.;J\|..>....d..L.....=...QB[.4p^[..t.dB...!.=.......v...]h.0F.......C....5&B....Yoz.n....c[W<........'. .1.9?...m.).hG.)!Zm...:..K(I.d...\..s..%.

C:\Users\user\AppData\Local\Temp\doc2.pdf

Download File

Process:	C:\Users\user\Desktop\0442.pdf.exe
File Type:	PDF document, version 1.7, 6 pages
Category:	dropped
Size (bytes):	85137
Entropy (8bit):	7.7513343990244366
Encrypted:	false
SSDEEP:	1536:eyetDLuxUTpyWbzUGW7EmvP95imdqYKq6i97idLfnk:eyetMk1tCPfimdsq6ididL8
MD5:	17A9D7D59ED8076A38B9E48533A01A10
SHA1:	1EC63D0BECCCBCE15277A3C227E787131C1E8F74
SHA-256:	631C4D8C4D0DE76F18712484358E532BE32F2FA2F92D7FAB026406C346ACBCDA
SHA-512:	E3C8AD153864482AC0BDE7445DAFFF1DAC9DCBC48D83C99169388C2EEE832EDDB02B4A2553F60D81E93674F76880544F4C10F05098830E7931518D14DF1DCFED
Malicious:	false
Preview:	%PDF-1.7..%......1 0 obj..<</Type/Catalog/Pages 2 0 R/Lang(ru) /StructTreeRoot 37 0 R/MarkInfo<</Marked true>>/Metadata 351 0 R/ViewerPreferences 352 0 R>>..endobj..2 0 obj..<</Type/Pages/Count 6/Kids[ 3 0 R 26 0 R 28 0 R 30 0 R 32 0 R 34 0 R] >>..endobj..3 0 obj..<</Type/Page/Parent 2 0 R/Resources<</Font<</F1 5 0 R/F2 12 0 R/F3 14 0 R/F4 19 0 R/F5 24 0 R>>/ExtGState<</GS10 10 0 R/GS11 11 0 R>>/ProcSet[/PDF/Text/ImageB/ImageC/ImageI] >>/MediaBox[ 0 0 595.32 841.92] /Contents 4 0 R/Group<</Type/Group/S/Transparency/CS/DeviceRGB>>/Tabs/S/StructParents 0>>..endobj..4 0 obj..<</Filter/FlateDecode/Length 1237>>..stream..x..Ko.6.....w.1)`...C.....Z4...r.z.!..F....J...).+.`.k...>....o4....._........V..<>.7_..>.=.T.6....h3...A.e+..U`...o_..O?.......{P....m..>m..`5..g......{w.F=......!L.w.....6.iLK.._..O.]...a.S..F...I....~.x.nL......}.;J\|..>....d..L.....=...QB[.4p^[..t.dB...!.=.......v...]h.0F.......C....5&B....Yoz.n....c[W<........'. .1.9?...m.).hG.)!Zm...:..K(I.d...\..s..%.

C:\Users\user\AppData\Local\Temp\ms.msi

Download File

Process:	C:\Users\user\Desktop\0442.pdf.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Number of Characters: 0, Last Saved By: InstallShield, Number of Words: 0, Title: LiteManager - Server 5.0 installation package, Comments: This installer contains the logic and data to install LiteManager Pro - Server 5.0, Keywords: Installer,MSI,Database, Subject: LiteManager Pro - Server, Author: LiteManagerTeam, Security: 1, Number of Pages: 200, Name of Creating Application: InstallShield 2015 - Premier Edition with Virtualization Pack 22, Last Saved Time/Date: Thu Aug 22 15:43:08 2024, Create Time/Date: Thu Aug 22 15:43:08 2024, Last Printed: Thu Aug 22 15:43:08 2024, Revision Number: {9EF586E9-112B-4AAE-B439-5B62B7A0B1DE}, Code page: 0, Template: Intel;0,1033,1049
Category:	dropped
Size (bytes):	11553792
Entropy (8bit):	7.938196666665725
Encrypted:	false
SSDEEP:	196608:cJg0ov2gTGOk/J1yr/A9ODMlWyFISx8/191nYHiT88o8En03yEoH8WkJDFa:CRJoLA9OIlWy58/19J+iYNPEoHg0
MD5:	B02F581793BE146506FACC3C6AEEBC32
SHA1:	DB1CB3BD3744C77E6E3253CF4480E177A358669A
SHA-256:	1666B1C2AE1AF47B252ABBC69C80281F81A7EA979F1D784FADC19ED6FEEC59F0
SHA-512:	8113F897F5936F6393746635D2BEDCEB410DBD1F825DF28C65D96EC3390509755E63E01C5311EC0A78B2FF48579D634C5D77CED80FBA01B68D2E9A08223B8E0A
Malicious:	false
Preview:	......................>...................................8........6..................}.................................................................................................................................................................................................................................................... ... ...!...!..."..."...#...#...$...$...%...%...&...&...'...'...(...(...)...).........+...+...,...,...-...-.........../.../...0...0...1...1...2...2...3...3...4...4...5...5...6..........<................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...@...M...:...;...=...........?...N...A...B...C...D...E...F...G...H...I...J...O...L...N...D.......P...Q...R...S...T...Z...V...W...X...Y....X..[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Users\user\AppData\Local\Temp\start.bat

Download File

Process:	C:\Users\user\Desktop\0442.pdf.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	130
Entropy (8bit):	4.924404357134264
Encrypted:	false
SSDEEP:	3:mKDb2nppLJTXZkRErG+fyM1K/RFofD6ANntch9wQn:hb4ZGaH1MUmy2Nn
MD5:	AA3AAB4A5BCA1D06B08C6F5D6362A5D0
SHA1:	486D423A2B689CC119CE95DFCDC018C7B552FA24
SHA-256:	A0A569883E851B4B965088F9ED9F9FBA80803B47AC6E6DD4B07DF60435184CD4
SHA-512:	2B5F84DFB399F313D11A8BFA2F3F3338CF69711D5C7B6D86E7F876C8B64DB3A664D1E3E4A4A4B0066A6949DE4E64CBA416A40BE56461556F9216EE82DE23D913
Malicious:	false
Preview:	@echo of..ping 8.8.8.8..cls..del "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LiteManager Pro - Server\." /q..cls..exit

C:\Users\user\AppData\Local\Temp\~DF3615DCDB1517276E.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF7EECDE67EA03C717.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	0.22184010571898594
Encrypted:	false
SSDEEP:	48:PHMmFSBulOd5YpRXd5YNd5YGd5YMd5YmmSvOd5YpRXd5YNd5YGd5YMd5YP6Ad5Yn:PH1FqO0Wlfxm0WlfPuYW
MD5:	A70111D3F2A5F9BCD5BD11A98EBE09FE
SHA1:	61EA4AC1FF95806B9A3036DB45820A6FC330ED73
SHA-256:	C6D1555BD50B1DBDAFDDF2C582F2B20920D633B31B45AD481AD8F3EB92A93225
SHA-512:	C0960F21A3BE61A546D6926AD39D6BC5134801E961EFC87C3B3208E122E255BE7489E7DBBCB8E4A2DBAEFA401DA9094C00D82BF058ED416097CFA20AC79DBDB8
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFD3F3B8F35C0A254F.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.06712149920142403
Encrypted:	false
SSDEEP:	6:2/9LG7iVCnLG7iVrKOzPLHKO0AbuJ2vWEJWM1AVky6lO:2F0i8n0itFzDHFfbe2vtJWuO
MD5:	0E8B611CF5EFD5D7F4C345B5C4E1443E
SHA1:	88A30155409C7EF376FB080774D617FCD51EEB6B
SHA-256:	1DDAF54603271883C75BDB3FB0D5D7FA324500D3ECC46649D583F73FE82FBB4D
SHA-512:	6AF62D7F4423FD2635320D0E94D40F31502581BF4CE800729F8040E6A962D4E178DDA94B8C10499FAF03C37BF914598A14B1539FD2A18B83A90958235CA131EE
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\6aadec.msi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Number of Characters: 0, Last Saved By: InstallShield, Number of Words: 0, Title: LiteManager - Server 5.0 installation package, Comments: This installer contains the logic and data to install LiteManager Pro - Server 5.0, Keywords: Installer,MSI,Database, Subject: LiteManager Pro - Server, Author: LiteManagerTeam, Security: 1, Number of Pages: 200, Name of Creating Application: InstallShield 2015 - Premier Edition with Virtualization Pack 22, Last Saved Time/Date: Thu Aug 22 15:43:08 2024, Create Time/Date: Thu Aug 22 15:43:08 2024, Last Printed: Thu Aug 22 15:43:08 2024, Revision Number: {9EF586E9-112B-4AAE-B439-5B62B7A0B1DE}, Code page: 0, Template: Intel;0,1033,1049
Category:	dropped
Size (bytes):	11553792
Entropy (8bit):	7.938196666665725
Encrypted:	false
SSDEEP:	196608:cJg0ov2gTGOk/J1yr/A9ODMlWyFISx8/191nYHiT88o8En03yEoH8WkJDFa:CRJoLA9OIlWy58/19J+iYNPEoHg0
MD5:	B02F581793BE146506FACC3C6AEEBC32
SHA1:	DB1CB3BD3744C77E6E3253CF4480E177A358669A
SHA-256:	1666B1C2AE1AF47B252ABBC69C80281F81A7EA979F1D784FADC19ED6FEEC59F0
SHA-512:	8113F897F5936F6393746635D2BEDCEB410DBD1F825DF28C65D96EC3390509755E63E01C5311EC0A78B2FF48579D634C5D77CED80FBA01B68D2E9A08223B8E0A
Malicious:	false
Preview:	......................>...................................8........6..................}.................................................................................................................................................................................................................................................... ... ...!...!..."..."...#...#...$...$...%...%...&...&...'...'...(...(...)...).........+...+...,...,...-...-.........../.../...0...0...1...1...2...2...3...3...4...4...5...5...6..........<................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...@...M...:...;...=...........?...N...A...B...C...D...E...F...G...H...I...J...O...L...N...D.......P...Q...R...S...T...Z...V...W...X...Y....X..[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Windows\Installer\6aadee.ipi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.812992507234203
Encrypted:	false
SSDEEP:	48:Z0scDH3vuicWXmSvOd5YpRXd5YNd5YGd5YMd5YP6Ad5YKEYSBulOd5YpRXd5YNdt:ZBHpWWm0WlfPuIqO0WlfIp/
MD5:	F06E2E01952A265F4E2162B356FD04E8
SHA1:	5C0C83D721D51BD8063D86C8A653969B81BAD4E5
SHA-256:	B31F441558FE918FA2049FF8560A3D8DE3455DF1263B12D8E6DF029B01DF112E
SHA-512:	8D35AA6DBA0CCBD7E6F0E33BF8AB10F5254154B8D5BA42B9A4321D281B174DE2EDA9CD7E1D2244B6DD24F1239183E73BCCAA683280D384B93685FEF98FE1203E
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\6aadf0.msi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Number of Characters: 0, Last Saved By: InstallShield, Number of Words: 0, Title: LiteManager - Server 5.0 installation package, Comments: This installer contains the logic and data to install LiteManager Pro - Server 5.0, Keywords: Installer,MSI,Database, Subject: LiteManager Pro - Server, Author: LiteManagerTeam, Security: 1, Number of Pages: 200, Name of Creating Application: InstallShield 2015 - Premier Edition with Virtualization Pack 22, Last Saved Time/Date: Thu Aug 22 15:43:08 2024, Create Time/Date: Thu Aug 22 15:43:08 2024, Last Printed: Thu Aug 22 15:43:08 2024, Revision Number: {9EF586E9-112B-4AAE-B439-5B62B7A0B1DE}, Code page: 0, Template: Intel;0,1033,1049
Category:	dropped
Size (bytes):	11553792
Entropy (8bit):	7.938196666665725
Encrypted:	false
SSDEEP:	196608:cJg0ov2gTGOk/J1yr/A9ODMlWyFISx8/191nYHiT88o8En03yEoH8WkJDFa:CRJoLA9OIlWy58/19J+iYNPEoHg0
MD5:	B02F581793BE146506FACC3C6AEEBC32
SHA1:	DB1CB3BD3744C77E6E3253CF4480E177A358669A
SHA-256:	1666B1C2AE1AF47B252ABBC69C80281F81A7EA979F1D784FADC19ED6FEEC59F0
SHA-512:	8113F897F5936F6393746635D2BEDCEB410DBD1F825DF28C65D96EC3390509755E63E01C5311EC0A78B2FF48579D634C5D77CED80FBA01B68D2E9A08223B8E0A
Malicious:	false
Preview:	......................>...................................8........6..................}.................................................................................................................................................................................................................................................... ... ...!...!..."..."...#...#...$...$...%...%...&...&...'...'...(...(...)...).........+...+...,...,...-...-.........../.../...0...0...1...1...2...2...3...3...4...4...5...5...6..........<................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...@...M...:...;...=...........?...N...A...B...C...D...E...F...G...H...I...J...O...L...N...D.......P...Q...R...S...T...Z...V...W...X...Y....X..[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Windows\Installer\MSI8824.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	292998
Entropy (8bit):	4.840233139758429
Encrypted:	false
SSDEEP:	3072:aOoy2KjcC2jcmFDX/vjcJGUjcmFDX/rjcmFDX/dZ+cNbynf9:aOoy25DXmNDXLDXX+cNbynf9
MD5:	5BEAB43CB1C4D77DA9984AACB662F4F7
SHA1:	6063235D8B86F7F53BAEA2761565659CA8FD953C
SHA-256:	34614103F3460834356B44C803900CA8727048583F34693DE15F22669B107DDF
SHA-512:	FB662A3A6BA6D418307312906FB295EEB5D3FA1BC35AA8050D20FC6DFBFBF7082CFC405AB03E62366DFBC67AB7A128C68A98F7F22C803BDA2A18466455DBD66E
Malicious:	false
Preview:	...@IXOS.@.....@$Y.Y.@.....@.....@.....@.....@.....@......&.{71FFA475-24D5-44FB-A51F-39B699E3D82C}..LiteManager Pro - Server..ms.msi.@.....@.....@.....@......ARPPRODUCTICON.exe..&.{9EF586E9-112B-4AAE-B439-5B62B7A0B1DE}.....@.....@.....@.....@.......@.....@.....@.......@......LiteManager Pro - Server......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration...@.....@.....@.]....&.{3244CDE6-6414-4399-B0D5-424562747210}0.C:\Program Files (x86)\LiteManager Pro - Server\.@.......@.....@.....@......&.{4D4D18AA-F74D-4291-B5A9-93C3CC48B75F}5.C:\Program Files (x86)\LiteManager Pro - Server\Lang\.@.......@.....@.....@......&.{641F154A-FEEF-4FA7-B5BF-414DB1DB8390}C.C:\Program Files (x86)\LiteManager Pro - Server\files\ROMViewer.exe.@.......@.....@.....@......&.{26EAB54E-4659-47E8-86F9-4CB74F7E03BE}0.C:\Program Files (x86)\LiteManager Pro - Server\.@.......@.....@.....@......&.{596F4636-5D51-49F

C:\Windows\Installer\SourceHash{71FFA475-24D5-44FB-A51F-39B699E3D82C}

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.1604252650201952
Encrypted:	false
SSDEEP:	12:JSbX72Fj+mQAGiLIlHVRpBh/7777777777777777777777777vDHFfbe2vtJW4pC:JeQI5V9dviGF
MD5:	86F740F98A9976CE48087D789427FEC4
SHA1:	8A19531E7F1271F4BAF53A6002F2333696E2624C
SHA-256:	4E88B26745B7A4BA444EEE036B062BBC18F63222330E7192E80219B370FFF650
SHA-512:	6B26E19C00766D2D6E3A598B13F824546D89751E4998B2365D7366F052704F7B6F409EB4506E414531DAD82E6FB2CA1A8EB23C64A27FA2946C0D7F554296462F
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\ARPPRODUCTICON.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	53248
Entropy (8bit):	4.351781833522881
Encrypted:	false
SSDEEP:	384:AvFMAyDNOdTdFCxfrwntajXjDWLi9Y+C5vy/Q1nDcZUNeLNek+vDFNe+TNy:+MAyYdTmPJbgqcnDcCNy
MD5:	CA680899D9330BEB85E6351E6DC0D27B
SHA1:	41E89E582F58FB2A4ED06FA3BF796A1DAAC5CB6C
SHA-256:	EAB5DC45781E92CD5CF953016757B1E6F2ED7A0B5A97CC0945B19A8FBC1A85F2
SHA-512:	3817BD6EC345F96631E6CBF6C8DD384ACB17D912B1EC69D959F3AA15C05226D5FE3B5E9807D42D0E63589AABCEADFBE8BD5F293D8069DF689D12498E05842286
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............C...C...C...C...CD..C...C...C...C=..C...C...C...C...C...CRich...C........................PE..L...J&uU.................@...................P....@.........................................................................4T..(........0...........................................................................P...............................text....5.......@.................. ..`.rdata.......P.......P..............@..@.data....)...`...0...`..............@....rsrc....0.......@..................@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\ROMServer.exe_9D09B2BC25A2414CBD848E2B75898676.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	57344
Entropy (8bit):	4.774504587732323
Encrypted:	false
SSDEEP:	768:SMAyYdTmPJbgqcnDcZTw0gpEeO4tZZz+0pQTk/N0:S1U81cmpjDX/N0
MD5:	5EBCB54B76FBE24FFF9D3BD74E274234
SHA1:	6CD72F044F36B7A3A79B7D77AAE59F274A66CE95
SHA-256:	504AEB909BBA186D4298AA97DCD6A09CCDD42217AF1F6210BC5EBD23B3DFCCBF
SHA-512:	5FF61D724B77B6EDC67D33B0F1EE1C3CB01F2A03251D0BE83FF10A80A99DBA08E3A0E0F985DEED6358E467B2E9B6A837E894513D1B5E68AF253C0BBDD68539D0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............C...C...C...C...CD..C...C...C...C=..C...C...C...C...C...CRich...C........................PE..L...J&uU.................@...................P....@.........................................................................4T..(.......xC...........................................................................P...............................text....5.......@.................. ..`.rdata.......P.......P..............@..@.data....)...`...0...`..............@....rsrc...xC.......P..................@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\UNINST_Uninstall_L_78AA5B6662514D94A847D6C603AF0895.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	4.31126714354722
Encrypted:	false
SSDEEP:	384:EvFMAyDNOdTdFCxfrwntajXjDWLi9Y+C5vy/Q1nDcZMwQE3vGYksuektm6yysZc8:SMAyYdTmPJbgqcnDcmwQE/RkHRRNS
MD5:	6A4AFFF2CD33613166B37A0DAB99BD41
SHA1:	FBC0F1696213B459D099A5809D79CFC01253880F
SHA-256:	53C1AE4962663E82D3AAC7C4A6CBE3D53E05D6948ADAE6391A2748396ACF98FE
SHA-512:	7B61D32E4AD38BC21E86559BFFA49A334CCB6184E595CB43F2D60A2A77C86B31D07B1A9D1F8FBE69E9AAD7E096952D765404BEBC494E73BD992642EB6B82E3A7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............C...C...C...C...CD..C...C...C...C=..C...C...C...C...C...CRich...C........................PE..L...J&uU.................@...p...............P....@.........................................................................4T..(........+...........................................................................P...............................text....5.......@.................. ..`.rdata.......P.......P..............@..@.data....)...`...0...`..............@....rsrc....+.......0..................@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\config_server_B6BD2967C67B44649764F06ADFFD6458.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	57344
Entropy (8bit):	4.774504587732323
Encrypted:	false
SSDEEP:	768:SMAyYdTmPJbgqcnDcZTw0gpEeO4tZZz+0pQTk/N0:S1U81cmpjDX/N0
MD5:	5EBCB54B76FBE24FFF9D3BD74E274234
SHA1:	6CD72F044F36B7A3A79B7D77AAE59F274A66CE95
SHA-256:	504AEB909BBA186D4298AA97DCD6A09CCDD42217AF1F6210BC5EBD23B3DFCCBF
SHA-512:	5FF61D724B77B6EDC67D33B0F1EE1C3CB01F2A03251D0BE83FF10A80A99DBA08E3A0E0F985DEED6358E467B2E9B6A837E894513D1B5E68AF253C0BBDD68539D0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............C...C...C...C...CD..C...C...C...C=..C...C...C...C...C...CRich...C........................PE..L...J&uU.................@...................P....@.........................................................................4T..(.......xC...........................................................................P...............................text....5.......@.................. ..`.rdata.......P.......P..............@..@.data....)...`...0...`..............@....rsrc...xC.......P..................@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\stop_server_51B516B87C64408FA3C56354EA2277C2.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	57344
Entropy (8bit):	4.774504587732323
Encrypted:	false
SSDEEP:	768:SMAyYdTmPJbgqcnDcZTw0gpEeO4tZZz+0pQTk/N0:S1U81cmpjDX/N0
MD5:	5EBCB54B76FBE24FFF9D3BD74E274234
SHA1:	6CD72F044F36B7A3A79B7D77AAE59F274A66CE95
SHA-256:	504AEB909BBA186D4298AA97DCD6A09CCDD42217AF1F6210BC5EBD23B3DFCCBF
SHA-512:	5FF61D724B77B6EDC67D33B0F1EE1C3CB01F2A03251D0BE83FF10A80A99DBA08E3A0E0F985DEED6358E467B2E9B6A837E894513D1B5E68AF253C0BBDD68539D0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............C...C...C...C...CD..C...C...C...C=..C...C...C...C...C...CRich...C........................PE..L...J&uU.................@...................P....@.........................................................................4T..(.......xC...........................................................................P...............................text....5.......@.................. ..`.rdata.......P.......P..............@..@.data....)...`...0...`..............@....rsrc...xC.......P..................@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\ROMwln.dll

Download File

Process:	C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	999944
Entropy (8bit):	6.626732213066839
Encrypted:	false
SSDEEP:	12288:SA9+TVJdg0YMgqAahyv0jKdTq4lrBhqSq/rt8VwGFrt:SRho0lgqA6yvnrBhq/rQDt
MD5:	ED32E23322D816C3FE2FC3D05972689E
SHA1:	5EEA702C9F2AC0A1AADAE25B09E7983DA8C82344
SHA-256:	7F33398B98E225F56CD287060BEFF6773ABB92404AFC21436B0A20124919FE05
SHA-512:	E505265DD9D88B3199EB0D4B7D8B81B2F4577FABD4271B3C286366F3C1A58479B4DC40CCB8F0045C7CD08FD8BF198029345EEF9D2D2407306B73E5957AD59EDF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...`.-\.................J...........X.......`....@.................................................................. ...................@...........0.......@.. O...................................................................................text...0?.......@.................. ..`.itext..8....P.......D.............. ..`.data....:...`...<...N..............@....bss.....]...............................idata..............................@....didata.............................@....edata....... ......................@..@.rdata..E....0......................@..@.reloc.. O...@...P..................@..B.rsrc....@.......@..................@..@.....................0..............@..@........................................................

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	7.988555676370944
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	0442.pdf.exe
File size:	11'409'543 bytes
MD5:	4f6b2b9ee57c50d6c505d0cdada4803e
SHA1:	ad7dee6f1f71c4fe6299170a160592f139390e12
SHA256:	62410e8399acf7834c74012783bde3fe9ff244e048141c4a96a65bec06895f37
SHA512:	43607bd5bd78dea051340a684ad3311172adc590e5ffcd8a7c576e3f6ddba7e13750bab2a957b4d9fdec0d68b67d5391e779ee625006d00b82a65ecfc62525ce
SSDEEP:	196608:rqwdhlYLDYm+q6yU4zpDKpuLkQ9aP8F5hidaKsv7kDXFd+bIYW2LJjIeTF:Nw3Yi6yU4zpDeuREkF5PlgP+0ijIeh
TLSH:	75B6334AF79008F8E0E6F67485778425E6723D4E1338A59F57A83A2B7E773118C36722
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......$.2.`.\.`.\.`.\..y..h.\..y....\..y..m.\.....b.\...X.r.\..._.j.\...Y.Y.\.i...i.\.i...b.\.i...g.\.`.].C.\...Y.R.\...\.a.\.....a.\

File Icon


Icon Hash:	0fd88dc89ea7861b

Static PE Info

General

Entrypoint:	0x140032ee0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x66409723 [Sun May 12 10:17:07 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	2
File Version Major:	5
File Version Minor:	2
Subsystem Version Major:	5
Subsystem Version Minor:	2
Import Hash:	b1c5b1beabd90d9fdabd1df0779ea832

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007FAC5CE10878h
dec eax
add esp, 28h
jmp 00007FAC5CE1020Fh
int3
int3
dec eax
mov eax, esp
dec eax
mov dword ptr [eax+08h], ebx
dec eax
mov dword ptr [eax+10h], ebp
dec eax
mov dword ptr [eax+18h], esi
dec eax
mov dword ptr [eax+20h], edi
inc ecx
push esi
dec eax
sub esp, 20h
dec ebp
mov edx, dword ptr [ecx+38h]
dec eax
mov esi, edx
dec ebp
mov esi, eax
dec eax
mov ebp, ecx
dec ecx
mov edx, ecx
dec eax
mov ecx, esi
dec ecx
mov edi, ecx
inc ecx
mov ebx, dword ptr [edx]
dec eax
shl ebx, 04h
dec ecx
add ebx, edx
dec esp
lea eax, dword ptr [ebx+04h]
call 00007FAC5CE0F693h
mov eax, dword ptr [ebp+04h]
and al, 66h
neg al
mov eax, 00000001h
sbb edx, edx
neg edx
add edx, eax
test dword ptr [ebx+04h], edx
je 00007FAC5CE103A3h
dec esp
mov ecx, edi
dec ebp
mov eax, esi
dec eax
mov edx, esi
dec eax
mov ecx, ebp
call 00007FAC5CE123B7h
dec eax
mov ebx, dword ptr [esp+30h]
dec eax
mov ebp, dword ptr [esp+38h]
dec eax
mov esi, dword ptr [esp+40h]
dec eax
mov edi, dword ptr [esp+48h]
dec eax
add esp, 20h
inc ecx
pop esi
ret
int3
int3
int3
dec eax
sub esp, 48h
dec eax
lea ecx, dword ptr [esp+20h]
call 00007FAC5CDFEC23h
dec eax
lea edx, dword ptr [00025747h]
dec eax
lea ecx, dword ptr [esp+20h]
call 00007FAC5CE11472h
int3
jmp 00007FAC5CE17654h
int3
int3
int3
int3
int3
int3

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x597a0	0x34	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x597d4	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x70000	0x154f4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x6a000	0x306c	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x86000	0x970	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x536c0	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x53780	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x4b3f0	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x48000	0x508	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x588bc	0x120	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x4676e	0x46800	f06bb06e02377ae8b223122e53be35c2	False	0.5372340425531915	data	6.47079645411382	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x48000	0x128c4	0x12a00	2de06d4a6920a6911e64ff20000ea72f	False	0.4499003775167785	data	5.273999097784603	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x5b000	0xe75c	0x1a00	0dbdb901a7d477980097e42e511a94fb	False	0.28275240384615385	data	3.2571023907881185	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x6a000	0x306c	0x3200	b0ce0f057741ad2a4ef4717079fa34e9	False	0.483359375	data	5.501810413666288	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.didat	0x6e000	0x360	0x400	1fcc7b1d7a02443319f8fcc2be4ca936	False	0.2578125	data	3.0459938492946015	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
_RDATA	0x6f000	0x15c	0x200	3f331ec50f09ba861beaf955b33712d5	False	0.408203125	data	3.3356393424384843	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x70000	0x154f4	0x15600	830fe0401acd1728e669a91fa1858e36	False	0.2520559210526316	data	4.6583703321340835	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x86000	0x970	0xa00	77a9ddfc47a5650d6eebbcc823e39532	False	0.52421875	data	5.336289720085303	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
PNG	0x70554	0xb45	PNG image data, 93 x 302, 8-bit/color RGB, non-interlaced	English	United States	1.0027729636048528
PNG	0x7109c	0x15a9	PNG image data, 186 x 604, 8-bit/color RGB, non-interlaced	English	United States	0.9363390441839495
RT_ICON	0x72648	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 60472 x 60472 px/m			0.14468236129184905
RT_DIALOG	0x82e70	0x286	data	English	United States	0.5092879256965944
RT_DIALOG	0x830f8	0x13a	data	English	United States	0.60828025477707
RT_DIALOG	0x83234	0xec	data	English	United States	0.6991525423728814
RT_DIALOG	0x83320	0x12e	data	English	United States	0.5927152317880795
RT_DIALOG	0x83450	0x338	data	English	United States	0.45145631067961167
RT_DIALOG	0x83788	0x252	data	English	United States	0.5757575757575758
RT_STRING	0x839dc	0x1e2	data	English	United States	0.3900414937759336
RT_STRING	0x83bc0	0x1cc	data	English	United States	0.4282608695652174
RT_STRING	0x83d8c	0x1b8	data	English	United States	0.45681818181818185
RT_STRING	0x83f44	0x146	data	English	United States	0.5153374233128835
RT_STRING	0x8408c	0x46c	data	English	United States	0.3454063604240283
RT_STRING	0x844f8	0x166	data	English	United States	0.49162011173184356
RT_STRING	0x84660	0x152	data	English	United States	0.5059171597633136
RT_STRING	0x847b4	0x10a	data	English	United States	0.49624060150375937
RT_STRING	0x848c0	0xbc	data	English	United States	0.6329787234042553
RT_STRING	0x8497c	0x1c0	data	English	United States	0.5178571428571429
RT_STRING	0x84b3c	0x250	data	English	United States	0.44256756756756754
RT_GROUP_ICON	0x84d8c	0x14	data			1.15
RT_MANIFEST	0x84da0	0x753	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.39786666666666665

Imports

DLL	Import
KERNEL32.dll	LocalFree, GetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, GetCurrentProcessId, CreateDirectoryW, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, GetVersionExW, GetModuleFileNameW, SetCurrentDirectoryW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, ExpandEnvironmentStringsW, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, GlobalMemoryStatusEx, LoadResource, SizeofResource, GetTimeFormatW, GetDateFormatW, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetNumberFormatW, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, GetOEMCP, IsValidCodePage, FindNextFileA, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, InitializeCriticalSectionAndSpinCount, WaitForSingleObjectEx, IsDebuggerPresent, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, RtlPcToFileHeader, RtlUnwindEx, EncodePointer, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, GetStringTypeW, HeapReAlloc, LCMapStringW, FindFirstFileExA
OLEAUT32.dll	SysAllocString, SysFreeString, VariantClear
gdiplus.dll	GdipCloneImage, GdipFree, GdipDisposeImage, GdipCreateBitmapFromStream, GdipCreateHBITMAPFromBitmap, GdiplusStartup, GdiplusShutdown, GdipAlloc

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 25, 2024 17:06:22.259615898 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:22.357692003 CET	49163	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:22.379311085 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:22.379379988 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:22.383055925 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:22.383070946 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:22.469245911 CET	49162	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:22.477272034 CET	8080	49163	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:22.477325916 CET	49163	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:22.502646923 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:22.502655983 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:22.517503977 CET	49163	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:22.517566919 CET	49163	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:22.588762999 CET	80	49162	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:22.588846922 CET	49162	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:22.637022972 CET	8080	49163	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:22.637151957 CET	8080	49163	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:22.732812881 CET	49162	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:22.732876062 CET	49162	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:22.852448940 CET	80	49162	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:22.852464914 CET	80	49162	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:23.925216913 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:23.928924084 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:23.931953907 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:23.931994915 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:23.932018995 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:24.048468113 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:24.051659107 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:24.051672935 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:24.051681995 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:24.866394997 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:25.063096046 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:25.070657969 CET	8080	49163	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:25.070714951 CET	49163	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:25.070770979 CET	49163	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:25.107922077 CET	49164	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:25.180191994 CET	80	49162	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:25.181447983 CET	49162	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:25.181534052 CET	49162	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:25.190242052 CET	8080	49163	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:25.227423906 CET	8080	49164	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:25.227514029 CET	49164	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:25.231205940 CET	49164	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:25.231235981 CET	49164	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:25.301166058 CET	80	49162	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:25.351540089 CET	8080	49164	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:25.351562023 CET	8080	49164	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:25.882185936 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:26.086755037 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:26.128330946 CET	49165	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:26.248069048 CET	80	49165	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:26.250781059 CET	49165	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:26.394243956 CET	49165	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:26.394287109 CET	49165	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:26.513834000 CET	80	49165	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:26.513866901 CET	80	49165	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:26.898021936 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:27.106211901 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:27.821908951 CET	8080	49164	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:27.821985960 CET	49164	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:27.822113991 CET	49164	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:27.827858925 CET	49166	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:27.912988901 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:27.941674948 CET	8080	49164	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:27.947381973 CET	8080	49166	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:27.947559118 CET	49166	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:27.954322100 CET	49166	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:27.954391956 CET	49166	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:28.074074984 CET	8080	49166	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:28.074090958 CET	8080	49166	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:28.108275890 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:28.836071968 CET	80	49165	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:28.837316036 CET	49165	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:28.839442015 CET	49165	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:28.913362026 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:28.932034016 CET	49167	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:28.958961964 CET	80	49165	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:29.051618099 CET	80	49167	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:29.051798105 CET	49167	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:29.055388927 CET	49167	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:29.055596113 CET	49167	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:29.160337925 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:29.174916983 CET	80	49167	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:29.175015926 CET	80	49167	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:29.929124117 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:30.130400896 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:30.540272951 CET	8080	49166	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:30.540488958 CET	49166	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:30.540802956 CET	49166	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:30.569341898 CET	49168	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:30.660314083 CET	8080	49166	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:30.688945055 CET	8080	49168	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:30.689059019 CET	49168	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:30.692506075 CET	49168	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:30.692506075 CET	49168	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:30.812647104 CET	8080	49168	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:30.812661886 CET	8080	49168	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:30.944569111 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:31.138452053 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:31.632587910 CET	80	49167	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:31.632653952 CET	49167	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:31.632704020 CET	49167	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:31.660299063 CET	49169	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:31.752593040 CET	80	49167	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:31.780375957 CET	80	49169	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:31.780455112 CET	49169	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:31.783590078 CET	49169	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:31.783590078 CET	49169	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:31.903450012 CET	80	49169	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:31.903466940 CET	80	49169	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:31.946521044 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:32.138614893 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:32.959994078 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:33.158564091 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:33.275546074 CET	8080	49168	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:33.275604963 CET	49168	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:33.275733948 CET	49168	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:33.313981056 CET	49170	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:33.395245075 CET	8080	49168	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:33.433950901 CET	8080	49170	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:33.434017897 CET	49170	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:33.437639952 CET	49170	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:33.437652111 CET	49170	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:33.557398081 CET	8080	49170	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:33.557413101 CET	8080	49170	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:33.976207972 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:34.170631886 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:34.384166002 CET	80	49169	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:34.384344101 CET	49169	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:34.384344101 CET	49169	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:34.407267094 CET	49171	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:34.504096031 CET	80	49169	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:34.526834965 CET	80	49171	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:34.526938915 CET	49171	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:34.530723095 CET	49171	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:34.530723095 CET	49171	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:34.650259972 CET	80	49171	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:34.650298119 CET	80	49171	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:34.995944023 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:35.190690041 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:36.007004023 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:36.020857096 CET	8080	49170	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:36.021119118 CET	49170	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:36.272744894 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:36.333868980 CET	49170	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:36.400890112 CET	49172	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:36.453398943 CET	8080	49170	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:36.520463943 CET	8080	49172	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:36.520534039 CET	49172	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:36.637856007 CET	49172	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:36.637856007 CET	49172	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:36.757421017 CET	8080	49172	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:36.757432938 CET	8080	49172	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:37.022725105 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:37.117577076 CET	80	49171	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:37.117650986 CET	49171	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:37.117744923 CET	49171	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:37.131794930 CET	49173	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:37.219185114 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:37.237198114 CET	80	49171	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:37.251328945 CET	80	49173	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:37.251447916 CET	49173	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:37.255837917 CET	49173	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:37.255839109 CET	49173	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:37.375364065 CET	80	49173	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:37.375418901 CET	80	49173	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:38.038599968 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:38.245970011 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:39.053772926 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:39.115722895 CET	8080	49172	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:39.115789890 CET	49172	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:39.115861893 CET	49172	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:39.209881067 CET	49174	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:39.235352039 CET	8080	49172	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:39.248917103 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:39.329549074 CET	8080	49174	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:39.331242085 CET	49174	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:39.334357023 CET	49174	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:39.334419012 CET	49174	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:39.453929901 CET	8080	49174	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:39.453942060 CET	8080	49174	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:39.851892948 CET	80	49173	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:39.851990938 CET	49173	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:39.851990938 CET	49173	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:39.861810923 CET	49175	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:39.971560001 CET	80	49173	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:39.981348991 CET	80	49175	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:39.981534004 CET	49175	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:39.985989094 CET	49175	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:39.986926079 CET	49175	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:40.069444895 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:40.105480909 CET	80	49175	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:40.106487036 CET	80	49175	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:40.275994062 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:41.084840059 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:41.286042929 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:41.947185993 CET	8080	49174	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:41.947267056 CET	49174	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:41.947376013 CET	49174	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:42.046149969 CET	49176	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:42.066925049 CET	8080	49174	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:42.101496935 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:42.165796041 CET	8080	49176	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:42.165973902 CET	49176	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:42.170120955 CET	49176	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:42.170134068 CET	49176	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:42.289730072 CET	8080	49176	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:42.289745092 CET	8080	49176	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:42.306224108 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:42.571542978 CET	80	49175	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:42.571822882 CET	49175	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:42.571822882 CET	49175	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:42.597301960 CET	49177	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:42.691593885 CET	80	49175	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:42.717716932 CET	80	49177	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:42.717924118 CET	49177	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:42.722166061 CET	49177	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:42.722409010 CET	49177	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:42.841656923 CET	80	49177	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:42.841830969 CET	80	49177	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:43.116518974 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:43.316169024 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:44.117367983 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:44.327225924 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:44.756192923 CET	8080	49176	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:44.756270885 CET	49176	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:44.756316900 CET	49176	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:44.780164957 CET	49178	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:44.876507044 CET	8080	49176	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:44.899821997 CET	8080	49178	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:44.899878025 CET	49178	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:44.904289007 CET	49178	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:44.904289007 CET	49178	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:45.024255991 CET	8080	49178	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:45.024283886 CET	8080	49178	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:45.132883072 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:45.323041916 CET	80	49177	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:45.326809883 CET	49177	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:45.326837063 CET	49177	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:45.332282066 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:45.431282997 CET	49179	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:45.446384907 CET	80	49177	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:45.550863981 CET	80	49179	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:45.554805994 CET	49179	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:45.555324078 CET	49179	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:45.558772087 CET	49179	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:45.674812078 CET	80	49179	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:45.678237915 CET	80	49179	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:46.147840023 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:46.348350048 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:47.163480043 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:47.358412981 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:47.513060093 CET	8080	49178	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:47.514822960 CET	49178	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:47.514858961 CET	49178	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:47.632287979 CET	49180	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:47.634402990 CET	8080	49178	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:47.751899004 CET	8080	49180	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:47.751972914 CET	49180	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:47.756465912 CET	49180	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:47.756501913 CET	49180	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:47.876182079 CET	8080	49180	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:47.876208067 CET	8080	49180	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:48.147243977 CET	80	49179	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:48.147437096 CET	49179	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:48.147437096 CET	49179	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:48.161453962 CET	49181	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:48.178901911 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:48.267044067 CET	80	49179	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:48.281039000 CET	80	49181	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:48.282826900 CET	49181	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:48.285531044 CET	49181	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:48.285546064 CET	49181	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:48.382462025 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:48.405044079 CET	80	49181	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:48.405062914 CET	80	49181	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:49.196911097 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:49.402625084 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:50.210690022 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:50.352504969 CET	8080	49180	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:50.352583885 CET	49180	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:50.352669001 CET	49180	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:50.410573959 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:50.454509974 CET	49182	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:50.472250938 CET	8080	49180	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:50.574141979 CET	8080	49182	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:50.574218988 CET	49182	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:50.579574108 CET	49182	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:50.579574108 CET	49182	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:50.699446917 CET	8080	49182	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:50.699467897 CET	8080	49182	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:50.883483887 CET	80	49181	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:50.886809111 CET	49181	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:50.895199060 CET	49181	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:50.948888063 CET	49183	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:51.016321898 CET	80	49181	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:51.070120096 CET	80	49183	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:51.070903063 CET	49183	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:51.179147005 CET	49183	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:51.179147005 CET	49183	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:51.225923061 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:51.298840046 CET	80	49183	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:51.298854113 CET	80	49183	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:51.451785088 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:52.241893053 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:52.441798925 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:53.202732086 CET	8080	49182	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:53.202887058 CET	49182	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:53.202987909 CET	49182	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:53.257155895 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:53.321566105 CET	49184	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:53.323801041 CET	8080	49182	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:53.441724062 CET	8080	49184	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:53.441776991 CET	49184	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:53.488039970 CET	49184	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:53.488039970 CET	49184	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:53.504760027 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:53.608917952 CET	8080	49184	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:53.608969927 CET	8080	49184	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:53.685770035 CET	80	49183	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:53.685838938 CET	49183	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:53.699732065 CET	49183	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:53.795931101 CET	49185	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:53.820182085 CET	80	49183	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:53.915642977 CET	80	49185	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:53.915707111 CET	49185	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:54.020291090 CET	49185	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:54.022787094 CET	49185	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:54.140996933 CET	80	49185	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:54.143078089 CET	80	49185	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:54.274296999 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:54.474833012 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:55.288902044 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:55.489881039 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:56.023309946 CET	8080	49184	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:56.026814938 CET	49184	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:56.026854038 CET	49184	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:56.029848099 CET	49186	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:56.148092031 CET	8080	49184	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:56.151143074 CET	8080	49186	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:56.154809952 CET	49186	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:56.278959990 CET	49186	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:56.279015064 CET	49186	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:56.303838968 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:56.399137020 CET	8080	49186	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:56.399147034 CET	8080	49186	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:56.499949932 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:56.542876005 CET	80	49185	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:56.546837091 CET	49185	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:56.546925068 CET	49185	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:56.574909925 CET	49187	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:56.667252064 CET	80	49185	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:56.694655895 CET	80	49187	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:56.694828987 CET	49187	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:56.698987007 CET	49187	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:56.702820063 CET	49187	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:56.819521904 CET	80	49187	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:56.823283911 CET	80	49187	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:57.320558071 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:57.525000095 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:58.352643013 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:58.555159092 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:58.740453005 CET	8080	49186	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:58.742923975 CET	49186	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:58.742923975 CET	49186	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:58.755140066 CET	49188	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:58.862582922 CET	8080	49186	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:58.874749899 CET	8080	49188	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:58.878853083 CET	49188	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:58.879172087 CET	49188	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:58.879225016 CET	49188	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:58.998709917 CET	8080	49188	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:58.998819113 CET	8080	49188	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:59.331043005 CET	80	49187	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:59.331124067 CET	49187	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:59.331188917 CET	49187	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:59.366564989 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:59.409117937 CET	49189	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:59.450694084 CET	80	49187	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:59.528780937 CET	80	49189	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:59.528980017 CET	49189	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:59.533147097 CET	49189	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:59.533158064 CET	49189	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:59.558114052 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:06:59.652795076 CET	80	49189	101.99.91.150	192.168.2.22
Dec 25, 2024 17:06:59.652904034 CET	80	49189	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:00.382289886 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:00.602179050 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:01.397567987 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:01.475548983 CET	8080	49188	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:01.475632906 CET	49188	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:01.475717068 CET	49188	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:01.484273911 CET	49190	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:01.595603943 CET	8080	49188	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:01.598233938 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:01.604242086 CET	8080	49190	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:01.604394913 CET	49190	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:01.608270884 CET	49190	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:01.608441114 CET	49190	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:01.729500055 CET	8080	49190	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:01.729626894 CET	8080	49190	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:02.413098097 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:02.612293005 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:03.429905891 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:03.630450010 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:04.242494106 CET	8080	49190	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:04.242607117 CET	49190	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:04.242688894 CET	49190	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:04.245359898 CET	49191	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:04.364487886 CET	8080	49190	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:04.366605043 CET	8080	49191	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:04.369786024 CET	49191	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:04.444520950 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:04.494568110 CET	49191	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:04.494568110 CET	49191	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:04.614223957 CET	8080	49191	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:04.614242077 CET	8080	49191	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:04.642523050 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:05.460340023 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:05.660465002 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:06.476031065 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:06.673523903 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:07.492639065 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:07.693595886 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:08.506834030 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:08.795660973 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:09.522840977 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:09.721712112 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:10.538832903 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:10.741874933 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:11.554141998 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:11.748832941 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:12.242867947 CET	8080	49191	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:12.244968891 CET	49191	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:12.245037079 CET	49191	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:12.327768087 CET	49192	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:12.369625092 CET	8080	49191	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:12.454302073 CET	8080	49192	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:12.456870079 CET	49192	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:12.570399046 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:12.576922894 CET	49192	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:12.576944113 CET	49192	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:12.696741104 CET	8080	49192	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:12.696780920 CET	8080	49192	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:12.768891096 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:13.570182085 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:13.852951050 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:13.888997078 CET	80	49189	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:13.892839909 CET	49189	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:13.895777941 CET	49189	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:14.016988993 CET	80	49189	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:14.048352003 CET	49193	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:14.168205023 CET	80	49193	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:14.168854952 CET	49193	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:14.226016045 CET	49193	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:14.228920937 CET	49193	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:14.345976114 CET	80	49193	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:14.348732948 CET	80	49193	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:14.585227013 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:14.783016920 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:15.072170019 CET	8080	49192	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:15.072248936 CET	49192	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:15.072284937 CET	49192	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:15.169169903 CET	49194	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:15.192255020 CET	8080	49192	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:15.288793087 CET	8080	49194	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:15.288885117 CET	49194	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:15.294066906 CET	49194	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:15.294147015 CET	49194	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:15.413698912 CET	8080	49194	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:15.413714886 CET	8080	49194	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:15.601075888 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:15.802069902 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:16.603343010 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:16.802140951 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:17.616621017 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:17.811182976 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:17.914319992 CET	8080	49194	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:17.914392948 CET	49194	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:17.914426088 CET	49194	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:18.006934881 CET	49195	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:18.033991098 CET	8080	49194	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:18.129017115 CET	8080	49195	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:18.129086018 CET	49195	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:18.130232096 CET	49195	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:18.134807110 CET	49195	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:18.250010967 CET	8080	49195	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:18.254745960 CET	8080	49195	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:18.631968975 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:18.836240053 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:19.647763014 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:19.856317043 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:20.664104939 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:20.864461899 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:21.679049969 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:21.936541080 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:22.037508011 CET	80	49193	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:22.038975954 CET	49193	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:22.038975954 CET	49193	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:22.092883110 CET	49196	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:22.161950111 CET	80	49193	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:22.212483883 CET	80	49196	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:22.213690042 CET	49196	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:22.338529110 CET	49196	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:22.338529110 CET	49196	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:22.458921909 CET	80	49196	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:22.458940029 CET	80	49196	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:22.678983927 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:22.881479979 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:23.694614887 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:23.894541979 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:24.710711956 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:24.805124044 CET	80	49196	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:24.806860924 CET	49196	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:24.806940079 CET	49196	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:24.857444048 CET	49197	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:24.925695896 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:24.926455021 CET	80	49196	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:24.977142096 CET	80	49197	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:24.978936911 CET	49197	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:25.110219002 CET	49197	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:25.110245943 CET	49197	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:25.229913950 CET	80	49197	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:25.229932070 CET	80	49197	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:25.725661039 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:25.925653934 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:25.977510929 CET	8080	49195	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:25.977685928 CET	49195	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:25.977685928 CET	49195	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:25.982115984 CET	49198	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:26.098175049 CET	8080	49195	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:26.102044106 CET	8080	49198	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:26.102113008 CET	49198	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:26.122459888 CET	49198	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:26.122694969 CET	49198	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:26.242070913 CET	8080	49198	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:26.242211103 CET	8080	49198	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:26.741854906 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:27.025716066 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:27.570919037 CET	80	49197	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:27.570992947 CET	49197	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:27.754182100 CET	49197	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:27.757369995 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:27.776264906 CET	49199	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:27.874120951 CET	80	49197	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:27.896243095 CET	80	49199	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:27.896301985 CET	49199	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:27.902415037 CET	49199	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:27.902435064 CET	49199	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:28.022355080 CET	80	49199	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:28.022399902 CET	80	49199	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:28.025778055 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:28.697057009 CET	8080	49198	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:28.697169065 CET	49198	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:28.706168890 CET	49198	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:28.826612949 CET	8080	49198	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:29.085546970 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:29.154194117 CET	49200	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:29.274209976 CET	8080	49200	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:29.274272919 CET	49200	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:29.280333042 CET	49200	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:29.280344963 CET	49200	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:29.325871944 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:29.400226116 CET	8080	49200	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:29.400283098 CET	8080	49200	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:29.787988901 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:30.025907040 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:30.507402897 CET	80	49199	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:30.507505894 CET	49199	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:30.804984093 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:30.923681021 CET	49199	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:31.012392998 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:31.043492079 CET	80	49199	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:31.075325966 CET	49201	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:31.195029020 CET	80	49201	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:31.195092916 CET	49201	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:31.297065973 CET	49201	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:31.297086954 CET	49201	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:31.416912079 CET	80	49201	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:31.417018890 CET	80	49201	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:31.820856094 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:31.885953903 CET	8080	49200	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:31.886044025 CET	49200	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:32.026031971 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:32.061192989 CET	49200	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:32.088548899 CET	49202	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:32.181098938 CET	8080	49200	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:32.208142996 CET	8080	49202	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:32.208206892 CET	49202	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:32.330076933 CET	49202	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:32.330077887 CET	49202	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:32.449758053 CET	8080	49202	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:32.449794054 CET	8080	49202	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:32.850877047 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:33.062844992 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:33.797081947 CET	80	49201	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:33.797143936 CET	49201	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:33.797199965 CET	49201	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:33.866360903 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:33.917790890 CET	80	49201	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:33.922543049 CET	49203	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:34.042145967 CET	80	49203	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:34.042212963 CET	49203	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:34.126136065 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:34.206917048 CET	49203	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:34.206963062 CET	49203	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:34.326658010 CET	80	49203	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:34.326694012 CET	80	49203	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:34.805571079 CET	8080	49202	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:34.805665970 CET	49202	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:34.805775881 CET	49202	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:34.855072975 CET	49204	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:34.881880999 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:34.925426006 CET	8080	49202	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:34.974694967 CET	8080	49204	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:34.974761009 CET	49204	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:35.010783911 CET	49204	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:35.012873888 CET	49204	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:35.126194954 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:35.130815029 CET	8080	49204	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:35.132386923 CET	8080	49204	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:35.898390055 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:36.126255035 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:36.632620096 CET	80	49203	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:36.632683992 CET	49203	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:36.632724047 CET	49203	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:36.752396107 CET	80	49203	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:36.913234949 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:36.914196968 CET	49205	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:37.034277916 CET	80	49205	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:37.034341097 CET	49205	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:37.052784920 CET	49205	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:37.052798986 CET	49205	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:37.126317024 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:37.172422886 CET	80	49205	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:37.172487974 CET	80	49205	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:37.572169065 CET	8080	49204	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:37.572236061 CET	49204	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:37.581738949 CET	49204	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:37.701303005 CET	8080	49204	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:37.756231070 CET	49206	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:37.875884056 CET	8080	49206	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:37.875963926 CET	49206	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:37.928850889 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:38.217956066 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:38.220896959 CET	49206	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:38.220913887 CET	49206	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:38.341598988 CET	8080	49206	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:38.341644049 CET	8080	49206	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:38.944909096 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:39.226435900 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:39.636709929 CET	80	49205	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:39.636776924 CET	49205	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:39.639162064 CET	49205	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:39.682998896 CET	49207	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:39.759424925 CET	80	49205	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:39.803031921 CET	80	49207	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:39.803222895 CET	49207	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:39.815268040 CET	49207	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:39.815303087 CET	49207	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:39.935425997 CET	80	49207	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:39.935467958 CET	80	49207	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:39.944607973 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:40.226492882 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:40.479800940 CET	8080	49206	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:40.479871035 CET	49206	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:40.479922056 CET	49206	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:40.580954075 CET	49208	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:40.599584103 CET	8080	49206	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:40.700680017 CET	8080	49208	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:40.700748920 CET	49208	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:40.706476927 CET	49208	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:40.706490993 CET	49208	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:40.826416016 CET	8080	49208	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:40.826456070 CET	8080	49208	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:40.960509062 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:41.226548910 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:41.975728989 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:42.225608110 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:42.991178036 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:43.225672007 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:43.291604996 CET	8080	49208	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:43.291685104 CET	49208	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:43.301182032 CET	49208	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:43.349818945 CET	49209	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:43.422869921 CET	8080	49208	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:43.471666098 CET	8080	49209	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:43.471740961 CET	49209	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:43.574222088 CET	49209	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:43.574260950 CET	49209	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:43.694067001 CET	8080	49209	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:43.694107056 CET	8080	49209	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:43.992364883 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:44.215559006 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:45.007114887 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:45.225783110 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:46.023983955 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:46.046230078 CET	8080	49209	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:46.046289921 CET	49209	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:46.046427965 CET	49209	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:46.089027882 CET	49210	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:46.166670084 CET	8080	49209	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:46.209887028 CET	8080	49210	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:46.209945917 CET	49210	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:46.225841045 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:46.295023918 CET	49210	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:46.295037985 CET	49210	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:46.414915085 CET	8080	49210	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:46.414949894 CET	8080	49210	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:47.038499117 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:47.252357006 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:48.054136992 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:48.325965881 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:48.813474894 CET	8080	49210	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:48.813555956 CET	49210	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:48.813581944 CET	49210	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:48.923085928 CET	49211	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:48.933281898 CET	8080	49210	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:49.042943001 CET	8080	49211	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:49.043013096 CET	49211	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:49.069531918 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:49.278162003 CET	49211	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:49.278193951 CET	49211	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:49.326021910 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:49.397854090 CET	8080	49211	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:49.397902966 CET	8080	49211	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:50.085006952 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:50.326186895 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:51.101072073 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:51.326131105 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:51.644347906 CET	8080	49211	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:51.644403934 CET	49211	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:51.644448042 CET	49211	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:51.766045094 CET	8080	49211	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:52.001391888 CET	49212	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:52.116823912 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:52.120996952 CET	8080	49212	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:52.121051073 CET	49212	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:52.243547916 CET	49212	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:52.243571043 CET	49212	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:52.326271057 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:52.369735003 CET	8080	49212	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:52.369771957 CET	8080	49212	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:53.131980896 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:53.426256895 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:54.132249117 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:54.163129091 CET	80	49207	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:54.163516045 CET	49207	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:54.163729906 CET	49207	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:54.207604885 CET	49213	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:54.283648968 CET	80	49207	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:54.327616930 CET	80	49213	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:54.327692032 CET	49213	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:54.338844061 CET	49213	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:54.338876009 CET	49213	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:54.426312923 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:54.463121891 CET	80	49213	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:54.463155985 CET	80	49213	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:54.705430984 CET	8080	49212	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:54.705498934 CET	49212	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:54.705549002 CET	49212	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:54.767712116 CET	49214	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:54.825344086 CET	8080	49212	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:54.887491941 CET	8080	49214	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:54.887557983 CET	49214	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:55.126506090 CET	49214	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:55.126535892 CET	49214	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:55.147681952 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:55.246449947 CET	8080	49214	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:55.246484041 CET	8080	49214	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:55.426373959 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:56.147924900 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:56.426429987 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:57.163742065 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:57.426502943 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:57.489770889 CET	8080	49214	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:57.490180016 CET	49214	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:57.490214109 CET	49214	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:57.609980106 CET	8080	49214	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:57.857711077 CET	49215	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:57.977523088 CET	8080	49215	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:57.977603912 CET	49215	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:58.082577944 CET	49215	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:58.082577944 CET	49215	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:58.178961992 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:58.202260971 CET	8080	49215	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:58.202292919 CET	8080	49215	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:58.426544905 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:59.189745903 CET	80	49213	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:59.189825058 CET	49213	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:59.194643974 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:59.196053982 CET	49213	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:59.305073023 CET	49216	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:59.318134069 CET	80	49213	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:59.424930096 CET	80	49216	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:59.425090075 CET	49216	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:59.426600933 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:59.531667948 CET	49216	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:59.531668901 CET	49216	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:07:59.651484966 CET	80	49216	101.99.91.150	192.168.2.22
Dec 25, 2024 17:07:59.651520014 CET	80	49216	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:00.210645914 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:00.425658941 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:00.581604004 CET	8080	49215	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:00.581692934 CET	49215	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:00.581782103 CET	49215	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:00.701920986 CET	8080	49215	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:00.912215948 CET	49217	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:01.031903982 CET	8080	49217	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:01.031963110 CET	49217	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:01.160281897 CET	49217	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:01.160298109 CET	49217	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:01.226291895 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:01.280376911 CET	8080	49217	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:01.280411005 CET	8080	49217	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:01.425719023 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:02.041429043 CET	80	49216	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:02.041527987 CET	49216	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:02.053668976 CET	49216	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:02.146673918 CET	49218	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:02.174802065 CET	80	49216	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:02.241415977 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:02.525782108 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:02.727329016 CET	80	49218	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:02.728101015 CET	49218	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:02.783871889 CET	49218	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:02.783930063 CET	49218	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:02.903654099 CET	80	49218	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:02.903690100 CET	80	49218	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:03.374185085 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:03.624619961 CET	8080	49217	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:03.624686003 CET	49217	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:03.625854969 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:03.864681959 CET	49217	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:03.893701077 CET	49219	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:03.984318018 CET	8080	49217	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:04.013294935 CET	8080	49219	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:04.013350964 CET	49219	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:04.015671015 CET	49219	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:04.015671015 CET	49219	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:04.135209084 CET	8080	49219	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:04.135288954 CET	8080	49219	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:04.272929907 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:04.476516008 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:05.288789034 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:05.315327883 CET	80	49218	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:05.315395117 CET	49218	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:05.316972017 CET	49218	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:05.410135984 CET	49220	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:05.436968088 CET	80	49218	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:05.525954008 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:05.529865980 CET	80	49220	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:05.530309916 CET	49220	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:05.635009050 CET	49220	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:05.635024071 CET	49220	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:05.755199909 CET	80	49220	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:05.755235910 CET	80	49220	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:06.304117918 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:06.526005983 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:06.610640049 CET	8080	49219	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:06.610706091 CET	49219	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:06.610735893 CET	49219	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:06.730490923 CET	8080	49219	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:07.105874062 CET	49221	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:07.226372004 CET	8080	49221	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:07.226438999 CET	49221	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:07.320645094 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:07.350123882 CET	49221	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:07.350143909 CET	49221	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:07.469897985 CET	8080	49221	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:07.469934940 CET	8080	49221	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:07.526093960 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:08.128562927 CET	80	49220	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:08.128628969 CET	49220	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:08.128679991 CET	49220	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:08.209242105 CET	49222	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:08.248414993 CET	80	49220	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:08.328919888 CET	80	49222	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:08.328983068 CET	49222	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:08.334831953 CET	49222	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:08.334849119 CET	49222	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:08.336638927 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:08.454452038 CET	80	49222	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:08.454483986 CET	80	49222	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:08.626132011 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:09.350910902 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:09.626193047 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:09.816550970 CET	8080	49221	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:09.816606998 CET	49221	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:10.034209967 CET	49221	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:10.053826094 CET	49223	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:10.154474020 CET	8080	49221	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:10.174015999 CET	8080	49223	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:10.174082994 CET	49223	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:10.307585955 CET	49223	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:10.307600021 CET	49223	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:10.366703987 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:10.427225113 CET	8080	49223	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:10.427269936 CET	8080	49223	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:10.626246929 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:10.931899071 CET	80	49222	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:10.931958914 CET	49222	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:11.382101059 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:11.626305103 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:11.674127102 CET	49222	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:11.722332954 CET	49224	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:11.794511080 CET	80	49222	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:11.842010021 CET	80	49224	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:11.842890978 CET	49224	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:11.845354080 CET	49224	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:11.845367908 CET	49224	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:11.965818882 CET	80	49224	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:11.965853930 CET	80	49224	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:12.384670019 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:12.608613014 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:12.770160913 CET	8080	49223	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:12.770236969 CET	49223	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:12.770339012 CET	49223	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:12.827980042 CET	49225	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:12.890122890 CET	8080	49223	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:12.948002100 CET	8080	49225	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:12.948946953 CET	49225	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:12.952399969 CET	49225	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:12.952411890 CET	49225	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:13.074595928 CET	8080	49225	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:13.074645996 CET	8080	49225	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:13.397859097 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:13.592111111 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:14.413362980 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:14.441606045 CET	80	49224	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:14.441900015 CET	49224	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:14.441946983 CET	49224	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:14.479434967 CET	49226	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:14.563076973 CET	80	49224	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:14.599267006 CET	80	49226	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:14.599332094 CET	49226	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:14.603516102 CET	49226	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:14.603755951 CET	49226	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:14.688483953 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:14.729675055 CET	80	49226	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:14.729906082 CET	80	49226	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:15.428973913 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:15.555610895 CET	8080	49225	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:15.557101011 CET	49225	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:15.557130098 CET	49225	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:15.633574963 CET	49227	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:15.680074930 CET	8080	49225	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:15.688541889 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:15.753403902 CET	8080	49227	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:15.755800962 CET	49227	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:15.831996918 CET	49227	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:15.832448959 CET	49227	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:15.951606989 CET	8080	49227	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:15.952056885 CET	8080	49227	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:16.431160927 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:16.637593985 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:17.207997084 CET	80	49226	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:17.208071947 CET	49226	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:17.208167076 CET	49226	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:17.226533890 CET	49228	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:17.327878952 CET	80	49226	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:17.346663952 CET	80	49228	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:17.346911907 CET	49228	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:17.350689888 CET	49228	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:17.351300955 CET	49228	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:17.447241068 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:17.471208096 CET	80	49228	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:17.471569061 CET	80	49228	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:17.642654896 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:18.347496033 CET	8080	49227	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:18.347635984 CET	49227	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:18.347753048 CET	49227	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:18.430879116 CET	49229	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:18.460170984 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:18.467286110 CET	8080	49227	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:18.550695896 CET	8080	49229	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:18.550786018 CET	49229	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:18.553744078 CET	49229	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:18.553776979 CET	49229	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:18.658710003 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:18.673656940 CET	8080	49229	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:18.673712015 CET	8080	49229	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:19.476641893 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:19.681776047 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:19.957055092 CET	80	49228	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:19.957124949 CET	49228	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:19.957314014 CET	49228	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:19.973514080 CET	49230	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:20.076833010 CET	80	49228	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:20.094432116 CET	80	49230	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:20.094487906 CET	49230	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:20.096919060 CET	49230	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:20.096930981 CET	49230	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:20.216737032 CET	80	49230	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:20.216795921 CET	80	49230	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:20.491760015 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:20.696831942 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:21.145138979 CET	8080	49229	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:21.145251036 CET	49229	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:21.145714045 CET	49229	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:21.173793077 CET	49231	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:21.266107082 CET	8080	49229	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:21.294188023 CET	8080	49231	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:21.294898987 CET	49231	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:21.422940016 CET	49231	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:21.422940016 CET	49231	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:21.507390022 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:21.543447971 CET	8080	49231	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:21.543481112 CET	8080	49231	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:21.771892071 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:22.522682905 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:22.718723059 CET	80	49230	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:22.718784094 CET	49230	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:22.718842983 CET	49230	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:22.729851007 CET	49232	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:22.781956911 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:22.838574886 CET	80	49230	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:22.849869967 CET	80	49232	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:22.849934101 CET	49232	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:22.972260952 CET	49232	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:22.972347975 CET	49232	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:23.092983961 CET	80	49232	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:23.093063116 CET	80	49232	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:23.522762060 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:23.782005072 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:23.874608994 CET	8080	49231	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:23.874699116 CET	49231	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:23.875039101 CET	49231	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:23.921598911 CET	49233	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:23.994761944 CET	8080	49231	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:24.041217089 CET	8080	49233	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:24.041294098 CET	49233	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:24.046052933 CET	49233	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:24.046304941 CET	49233	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:24.165798903 CET	8080	49233	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:24.166038036 CET	8080	49233	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:24.538794041 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:24.790065050 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:25.461383104 CET	80	49232	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:25.461461067 CET	49232	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:25.461563110 CET	49232	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:25.476144075 CET	49234	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:25.553957939 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:25.581666946 CET	80	49232	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:25.596225977 CET	80	49234	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:25.596296072 CET	49234	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:25.600235939 CET	49234	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:25.600303888 CET	49234	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:25.719851017 CET	80	49234	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:25.719887972 CET	80	49234	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:25.750132084 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:26.571650028 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:26.641700983 CET	8080	49233	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:26.642913103 CET	49233	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:26.643148899 CET	49233	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:26.678474903 CET	49235	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:26.762759924 CET	8080	49233	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:26.771187067 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:26.798424006 CET	8080	49235	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:26.798506975 CET	49235	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:26.802217960 CET	49235	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:26.802228928 CET	49235	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:26.921996117 CET	8080	49235	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:26.922033072 CET	8080	49235	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:27.584939957 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:27.821638107 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:28.192090034 CET	80	49234	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:28.192255020 CET	49234	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:28.192315102 CET	49234	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:28.210293055 CET	49236	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:28.312144995 CET	80	49234	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:28.331305981 CET	80	49236	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:28.331386089 CET	49236	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:28.334408998 CET	49236	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:28.334409952 CET	49236	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:28.454169989 CET	80	49236	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:28.454204082 CET	80	49236	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:28.600414991 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:28.804306984 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:29.394138098 CET	8080	49235	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:29.394202948 CET	49235	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:29.394234896 CET	49235	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:29.507025003 CET	49237	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:29.513886929 CET	8080	49235	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:29.626940012 CET	8080	49237	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:29.626998901 CET	49237	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:29.631386042 CET	49237	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:29.631397963 CET	49237	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:29.658049107 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:29.751409054 CET	8080	49237	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:29.751549959 CET	8080	49237	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:29.924279928 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:30.632920980 CET	5651	49161	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:30.832425117 CET	49161	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:30.922152996 CET	80	49236	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:30.922960997 CET	49236	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:30.922960997 CET	49236	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:30.942882061 CET	49238	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:31.042560101 CET	80	49236	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:31.063460112 CET	80	49238	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:31.063536882 CET	49238	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:31.064472914 CET	49238	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:31.064472914 CET	49238	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:08:31.184360027 CET	80	49238	101.99.91.150	192.168.2.22
Dec 25, 2024 17:08:31.184492111 CET	80	49238	101.99.91.150	192.168.2.22

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 25, 2024 17:05:56.342144012 CET	138	138	192.168.2.22	192.168.2.255
Dec 25, 2024 17:06:10.343735933 CET	137	137	192.168.2.22	192.168.2.255
Dec 25, 2024 17:06:11.098670006 CET	137	137	192.168.2.22	192.168.2.255
Dec 25, 2024 17:06:11.863114119 CET	137	137	192.168.2.22	192.168.2.255
Dec 25, 2024 17:06:22.795617104 CET	137	137	192.168.2.22	192.168.2.255
Dec 25, 2024 17:06:23.545042992 CET	137	137	192.168.2.22	192.168.2.255
Dec 25, 2024 17:06:24.295087099 CET	137	137	192.168.2.22	192.168.2.255
Dec 25, 2024 17:06:31.693036079 CET	137	137	192.168.2.22	192.168.2.255
Dec 25, 2024 17:06:32.442663908 CET	137	137	192.168.2.22	192.168.2.255
Dec 25, 2024 17:06:33.192615986 CET	137	137	192.168.2.22	192.168.2.255
Dec 25, 2024 17:06:34.627011061 CET	137	137	192.168.2.22	192.168.2.255
Dec 25, 2024 17:06:35.376748085 CET	137	137	192.168.2.22	192.168.2.255
Dec 25, 2024 17:06:36.126785994 CET	137	137	192.168.2.22	192.168.2.255
Dec 25, 2024 17:07:56.168551922 CET	138	138	192.168.2.22	192.168.2.255

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Type
Dec 25, 2024 17:06:05.257407904 CET	192.168.2.22	8.8.8.8	4d5a	Echo
Dec 25, 2024 17:06:05.380563021 CET	8.8.8.8	192.168.2.22	555a	Echo Reply
Dec 25, 2024 17:06:06.339759111 CET	192.168.2.22	8.8.8.8	4d59	Echo
Dec 25, 2024 17:06:06.462279081 CET	8.8.8.8	192.168.2.22	5559	Echo Reply
Dec 25, 2024 17:06:07.761271954 CET	192.168.2.22	8.8.8.8	4d58	Echo
Dec 25, 2024 17:06:07.883725882 CET	8.8.8.8	192.168.2.22	5558	Echo Reply
Dec 25, 2024 17:06:09.242522955 CET	192.168.2.22	8.8.8.8	4d57	Echo
Dec 25, 2024 17:06:09.365150928 CET	8.8.8.8	192.168.2.22	5557	Echo Reply

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.22	49162	101.99.91.150	80	3424	C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe

Timestamp	Bytes transferred	Direction	Data
Dec 25, 2024 17:06:22.732812881 CET	6	OUT	Data Raw: 00 00 00 01 Data Ascii:
Dec 25, 2024 17:06:22.732876062 CET	6	OUT	Data Raw: 00 00 00 03 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.22	49165	101.99.91.150	80	3424	C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe

Timestamp	Bytes transferred	Direction	Data
Dec 25, 2024 17:06:26.394243956 CET	6	OUT	Data Raw: 00 00 00 01 Data Ascii:
Dec 25, 2024 17:06:26.394287109 CET	6	OUT	Data Raw: 00 00 00 03 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.22	49167	101.99.91.150	80	3424	C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe

Timestamp	Bytes transferred	Direction	Data
Dec 25, 2024 17:06:29.055388927 CET	6	OUT	Data Raw: 00 00 00 01 Data Ascii:
Dec 25, 2024 17:06:29.055596113 CET	6	OUT	Data Raw: 00 00 00 03 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.22	49169	101.99.91.150	80	3424	C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe

Timestamp	Bytes transferred	Direction	Data
Dec 25, 2024 17:06:31.783590078 CET	6	OUT	Data Raw: 00 00 00 01 Data Ascii:
Dec 25, 2024 17:06:31.783590078 CET	6	OUT	Data Raw: 00 00 00 03 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.22	49171	101.99.91.150	80	3424	C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe

Timestamp	Bytes transferred	Direction	Data
Dec 25, 2024 17:06:34.530723095 CET	6	OUT	Data Raw: 00 00 00 01 Data Ascii:
Dec 25, 2024 17:06:34.530723095 CET	6	OUT	Data Raw: 00 00 00 03 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.22	49173	101.99.91.150	80	3424	C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe

Timestamp	Bytes transferred	Direction	Data
Dec 25, 2024 17:06:37.255837917 CET	6	OUT	Data Raw: 00 00 00 01 Data Ascii:
Dec 25, 2024 17:06:37.255839109 CET	6	OUT	Data Raw: 00 00 00 03 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.22	49175	101.99.91.150	80	3424	C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe

Timestamp	Bytes transferred	Direction	Data
Dec 25, 2024 17:06:39.985989094 CET	6	OUT	Data Raw: 00 00 00 01 Data Ascii:
Dec 25, 2024 17:06:39.986926079 CET	6	OUT	Data Raw: 00 00 00 03 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.22	49177	101.99.91.150	80	3424	C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe

Timestamp	Bytes transferred	Direction	Data
Dec 25, 2024 17:06:42.722166061 CET	6	OUT	Data Raw: 00 00 00 01 Data Ascii:
Dec 25, 2024 17:06:42.722409010 CET	6	OUT	Data Raw: 00 00 00 03 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.22	49179	101.99.91.150	80	3424	C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe

Timestamp	Bytes transferred	Direction	Data
Dec 25, 2024 17:06:45.555324078 CET	6	OUT	Data Raw: 00 00 00 01 Data Ascii:
Dec 25, 2024 17:06:45.558772087 CET	6	OUT	Data Raw: 00 00 00 03 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.22	49181	101.99.91.150	80	3424	C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe

Timestamp	Bytes transferred	Direction	Data
Dec 25, 2024 17:06:48.285531044 CET	6	OUT	Data Raw: 00 00 00 01 Data Ascii:
Dec 25, 2024 17:06:48.285546064 CET	6	OUT	Data Raw: 00 00 00 03 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.22	49183	101.99.91.150	80	3424	C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe

Timestamp	Bytes transferred	Direction	Data
Dec 25, 2024 17:06:51.179147005 CET	6	OUT	Data Raw: 00 00 00 01 Data Ascii:
Dec 25, 2024 17:06:51.179147005 CET	6	OUT	Data Raw: 00 00 00 03 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.22	49185	101.99.91.150	80	3424	C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe

Timestamp	Bytes transferred	Direction	Data
Dec 25, 2024 17:06:54.020291090 CET	6	OUT	Data Raw: 00 00 00 01 Data Ascii:
Dec 25, 2024 17:06:54.022787094 CET	6	OUT	Data Raw: 00 00 00 03 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.22	49187	101.99.91.150	80	3424	C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe

Timestamp	Bytes transferred	Direction	Data
Dec 25, 2024 17:06:56.698987007 CET	6	OUT	Data Raw: 00 00 00 01 Data Ascii:
Dec 25, 2024 17:06:56.702820063 CET	6	OUT	Data Raw: 00 00 00 03 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.22	49189	101.99.91.150	80	3424	C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe

Timestamp	Bytes transferred	Direction	Data
Dec 25, 2024 17:06:59.533147097 CET	6	OUT	Data Raw: 00 00 00 01 Data Ascii:
Dec 25, 2024 17:06:59.533158064 CET	6	OUT	Data Raw: 00 00 00 03 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.22	49193	101.99.91.150	80	3424	C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe

Timestamp	Bytes transferred	Direction	Data
Dec 25, 2024 17:07:14.226016045 CET	6	OUT	Data Raw: 00 00 00 01 Data Ascii:
Dec 25, 2024 17:07:14.228920937 CET	6	OUT	Data Raw: 00 00 00 03 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.22	49196	101.99.91.150	80	3424	C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe

Timestamp	Bytes transferred	Direction	Data
Dec 25, 2024 17:07:22.338529110 CET	6	OUT	Data Raw: 00 00 00 01 Data Ascii:
Dec 25, 2024 17:07:22.338529110 CET	6	OUT	Data Raw: 00 00 00 03 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.22	49197	101.99.91.150	80	3424	C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe

Timestamp	Bytes transferred	Direction	Data
Dec 25, 2024 17:07:25.110219002 CET	6	OUT	Data Raw: 00 00 00 01 Data Ascii:
Dec 25, 2024 17:07:25.110245943 CET	6	OUT	Data Raw: 00 00 00 03 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.22	49199	101.99.91.150	80	3424	C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe

Timestamp	Bytes transferred	Direction	Data
Dec 25, 2024 17:07:27.902415037 CET	6	OUT	Data Raw: 00 00 00 01 Data Ascii:
Dec 25, 2024 17:07:27.902435064 CET	6	OUT	Data Raw: 00 00 00 03 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.22	49201	101.99.91.150	80	3424	C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe

Timestamp	Bytes transferred	Direction	Data
Dec 25, 2024 17:07:31.297065973 CET	6	OUT	Data Raw: 00 00 00 01 Data Ascii:
Dec 25, 2024 17:07:31.297086954 CET	6	OUT	Data Raw: 00 00 00 03 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.22	49203	101.99.91.150	80	3424	C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe

Timestamp	Bytes transferred	Direction	Data
Dec 25, 2024 17:07:34.206917048 CET	6	OUT	Data Raw: 00 00 00 01 Data Ascii:
Dec 25, 2024 17:07:34.206963062 CET	6	OUT	Data Raw: 00 00 00 03 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.22	49205	101.99.91.150	80	3424	C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe

Timestamp	Bytes transferred	Direction	Data
Dec 25, 2024 17:07:37.052784920 CET	6	OUT	Data Raw: 00 00 00 01 Data Ascii:
Dec 25, 2024 17:07:37.052798986 CET	6	OUT	Data Raw: 00 00 00 03 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.22	49207	101.99.91.150	80	3424	C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe

Timestamp	Bytes transferred	Direction	Data
Dec 25, 2024 17:07:39.815268040 CET	6	OUT	Data Raw: 00 00 00 01 Data Ascii:
Dec 25, 2024 17:07:39.815303087 CET	6	OUT	Data Raw: 00 00 00 03 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.22	49213	101.99.91.150	80	3424	C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe

Timestamp	Bytes transferred	Direction	Data
Dec 25, 2024 17:07:54.338844061 CET	6	OUT	Data Raw: 00 00 00 01 Data Ascii:
Dec 25, 2024 17:07:54.338876009 CET	6	OUT	Data Raw: 00 00 00 03 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.22	49216	101.99.91.150	80	3424	C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe

Timestamp	Bytes transferred	Direction	Data
Dec 25, 2024 17:07:59.531667948 CET	6	OUT	Data Raw: 00 00 00 01 Data Ascii:
Dec 25, 2024 17:07:59.531668901 CET	6	OUT	Data Raw: 00 00 00 03 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.22	49218	101.99.91.150	80	3424	C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe

Timestamp	Bytes transferred	Direction	Data
Dec 25, 2024 17:08:02.783871889 CET	6	OUT	Data Raw: 00 00 00 01 Data Ascii:
Dec 25, 2024 17:08:02.783930063 CET	6	OUT	Data Raw: 00 00 00 03 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.22	49220	101.99.91.150	80	3424	C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe

Timestamp	Bytes transferred	Direction	Data
Dec 25, 2024 17:08:05.635009050 CET	6	OUT	Data Raw: 00 00 00 01 Data Ascii:
Dec 25, 2024 17:08:05.635024071 CET	6	OUT	Data Raw: 00 00 00 03 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.22	49222	101.99.91.150	80	3424	C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe

Timestamp	Bytes transferred	Direction	Data
Dec 25, 2024 17:08:08.334831953 CET	6	OUT	Data Raw: 00 00 00 01 Data Ascii:
Dec 25, 2024 17:08:08.334849119 CET	6	OUT	Data Raw: 00 00 00 03 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port
27	192.168.2.22	49224	101.99.91.150	80

Timestamp	Bytes transferred	Direction	Data
Dec 25, 2024 17:08:11.845354080 CET	6	OUT	Data Raw: 00 00 00 01 Data Ascii:
Dec 25, 2024 17:08:11.845367908 CET	6	OUT	Data Raw: 00 00 00 03 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port
28	192.168.2.22	49226	101.99.91.150	80

Timestamp	Bytes transferred	Direction	Data
Dec 25, 2024 17:08:14.603516102 CET	6	OUT	Data Raw: 00 00 00 01 Data Ascii:
Dec 25, 2024 17:08:14.603755951 CET	6	OUT	Data Raw: 00 00 00 03 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port
29	192.168.2.22	49228	101.99.91.150	80

Timestamp	Bytes transferred	Direction	Data
Dec 25, 2024 17:08:17.350689888 CET	6	OUT	Data Raw: 00 00 00 01 Data Ascii:
Dec 25, 2024 17:08:17.351300955 CET	6	OUT	Data Raw: 00 00 00 03 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port
30	192.168.2.22	49230	101.99.91.150	80

Timestamp	Bytes transferred	Direction	Data
Dec 25, 2024 17:08:20.096919060 CET	6	OUT	Data Raw: 00 00 00 01 Data Ascii:
Dec 25, 2024 17:08:20.096930981 CET	6	OUT	Data Raw: 00 00 00 03 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port
31	192.168.2.22	49232	101.99.91.150	80

Timestamp	Bytes transferred	Direction	Data
Dec 25, 2024 17:08:22.972260952 CET	6	OUT	Data Raw: 00 00 00 01 Data Ascii:
Dec 25, 2024 17:08:22.972347975 CET	6	OUT	Data Raw: 00 00 00 03 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port
32	192.168.2.22	49234	101.99.91.150	80

Timestamp	Bytes transferred	Direction	Data
Dec 25, 2024 17:08:25.600235939 CET	6	OUT	Data Raw: 00 00 00 01 Data Ascii:
Dec 25, 2024 17:08:25.600303888 CET	6	OUT	Data Raw: 00 00 00 03 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port
33	192.168.2.22	49236	101.99.91.150	80

Timestamp	Bytes transferred	Direction	Data
Dec 25, 2024 17:08:28.334408998 CET	6	OUT	Data Raw: 00 00 00 01 Data Ascii:
Dec 25, 2024 17:08:28.334409952 CET	6	OUT	Data Raw: 00 00 00 03 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port
34	192.168.2.22	49238	101.99.91.150	80

Timestamp	Bytes transferred	Direction	Data
Dec 25, 2024 17:08:31.064472914 CET	6	OUT	Data Raw: 00 00 00 01 Data Ascii:
Dec 25, 2024 17:08:31.064472914 CET	6	OUT	Data Raw: 00 00 00 03 Data Ascii:

Target ID:	0
Start time:	11:06:00
Start date:	25/12/2024
Path:	C:\Users\user\Desktop\0442.pdf.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\0442.pdf.exe"
Imagebase:	0x13f210000
File size:	11'409'543 bytes
MD5 hash:	4F6B2B9EE57C50D6C505D0CDADA4803E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	11:06:01
Start date:	25/12/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ms.msi" /qn
Imagebase:	0xff3f0000
File size:	128'512 bytes
MD5 hash:	AC2E7152124CEED36846BD1B6592A00F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	11:06:01
Start date:	25/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\start.bat" "
Imagebase:	0x49f30000
File size:	345'088 bytes
MD5 hash:	5746BD7E255DD6A8AFA06F7C42C1BA41
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	11:06:02
Start date:	25/12/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\msiexec.exe /V
Imagebase:	0xff3f0000
File size:	128'512 bytes
MD5 hash:	AC2E7152124CEED36846BD1B6592A00F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	11:06:02
Start date:	25/12/2024
Path:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\user\AppData\Local\Temp\doc.pdf"
Imagebase:	0xa0000
File size:	2'525'680 bytes
MD5 hash:	2F8D93826B8CBF9290BC57535C7A6817
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	11:06:02
Start date:	25/12/2024
Path:	C:\Windows\System32\PING.EXE
Wow64 process (32bit):	false
Commandline:	ping 8.8.8.8
Imagebase:	0xfff70000
File size:	16'896 bytes
MD5 hash:	5FB30FE90736C7FC77DE637021B1CE7C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	11:06:04
Start date:	25/12/2024
Path:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\user\AppData\Local\Temp\doc2.pdf"
Imagebase:	0xa0000
File size:	2'525'680 bytes
MD5 hash:	2F8D93826B8CBF9290BC57535C7A6817
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	11:06:09
Start date:	25/12/2024
Path:	C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /server /siex /silentinstall
Imagebase:	0x400000
File size:	6'307'408 bytes
MD5 hash:	63D0964168B927D00064AA684E79A300
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000009.00000000.367769317.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe, Author: Joe Security
Antivirus matches:	Detection: 3%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	11:06:10
Start date:	25/12/2024
Path:	C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe" /siex /silentinstall
Imagebase:	0x400000
File size:	7'753'808 bytes
MD5 hash:	F3D74B072B9697CF64B0B8445FDC8128
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 0000000B.00000000.369864621.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe, Author: Joe Security
Antivirus matches:	Detection: 8%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	11:06:11
Start date:	25/12/2024
Path:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
Imagebase:	0x110000
File size:	9'805'808 bytes
MD5 hash:	326A645391A97C760B60C558A35BB068
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	13
Start time:	11:06:14
Start date:	25/12/2024
Path:	C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /server /firewall
Imagebase:	0x400000
File size:	6'307'408 bytes
MD5 hash:	63D0964168B927D00064AA684E79A300
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	11:06:15
Start date:	25/12/2024
Path:	C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe" /firewall
Imagebase:	0x400000
File size:	7'753'808 bytes
MD5 hash:	F3D74B072B9697CF64B0B8445FDC8128
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	11:06:18
Start date:	25/12/2024
Path:	C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /server /start
Imagebase:	0x400000
File size:	6'307'408 bytes
MD5 hash:	63D0964168B927D00064AA684E79A300
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	11:06:18
Start date:	25/12/2024
Path:	C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe" /start
Imagebase:	0x400000
File size:	7'753'808 bytes
MD5 hash:	F3D74B072B9697CF64B0B8445FDC8128
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	11:06:18
Start date:	25/12/2024
Path:	C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe"
Imagebase:	0x400000
File size:	7'753'808 bytes
MD5 hash:	F3D74B072B9697CF64B0B8445FDC8128
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Has exited:	false

Show Windows behavior

Target ID:	18
Start time:	11:06:20
Start date:	25/12/2024
Path:	C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe"
Imagebase:	0x400000
File size:	6'307'408 bytes
MD5 hash:	63D0964168B927D00064AA684E79A300
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Has exited:	false

Show Windows behavior

Target ID:	19
Start time:	11:06:20
Start date:	25/12/2024
Path:	C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /tray
Imagebase:	0x400000
File size:	6'307'408 bytes
MD5 hash:	63D0964168B927D00064AA684E79A300
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Has exited:	false

Show Windows behavior

Target ID:	20
Start time:	11:06:20
Start date:	25/12/2024
Path:	C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /tray
Imagebase:	0x400000
File size:	6'307'408 bytes
MD5 hash:	63D0964168B927D00064AA684E79A300
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	11:06:21
Start date:	25/12/2024
Path:	C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /tray
Imagebase:	0x400000
File size:	6'307'408 bytes
MD5 hash:	63D0964168B927D00064AA684E79A300
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	11:06:23
Start date:	25/12/2024
Path:	C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /tray
Imagebase:	0x400000
File size:	6'307'408 bytes
MD5 hash:	63D0964168B927D00064AA684E79A300
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	11:06:24
Start date:	25/12/2024
Path:	C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /tray
Imagebase:	0x400000
File size:	6'307'408 bytes
MD5 hash:	63D0964168B927D00064AA684E79A300
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	12.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	28%
Total number of Nodes:	1467
Total number of Limit Nodes:	27

Executed Functions

Function 000000013F23B190 Relevance: 123.9, APIs: 60, Strings: 10, Instructions: 1421windowfilesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 000000013F21255C: GetDlgItem.USER32 ref: 000000013F2125AC
Part of subcall function 000000013F21255C: SetWindowTextW.USER32 ref: 000000013F2125C8

EndDialog.USER32 ref: 000000013F23B2D0
SetDlgItemTextW.USER32 ref: 000000013F23B320
GetMessageW.USER32 ref: 000000013F23B350
IsDialogMessageW.USER32 ref: 000000013F23B369
TranslateMessage.USER32 ref: 000000013F23B37B
DispatchMessageW.USER32 ref: 000000013F23B389
EndDialog.USER32 ref: 000000013F23B3D3
GetDlgItem.USER32 ref: 000000013F23B410
SendMessageW.USER32 ref: 000000013F23B431
SendMessageW.USER32 ref: 000000013F23B449
SetFocus.USER32 ref: 000000013F23B452
GetLastError.KERNEL32 ref: 000000013F23B634
GetLastError.KERNEL32 ref: 000000013F23B665
GetTickCount.KERNEL32 ref: 000000013F23B68B
GetLastError.KERNEL32 ref: 000000013F23B6F5
GetCommandLineW.KERNEL32 ref: 000000013F23B841
CreateFileMappingW.KERNEL32 ref: 000000013F23B900
MapViewOfFile.KERNEL32 ref: 000000013F23B923
Sleep.KERNEL32 ref: 000000013F23B9B6
UnmapViewOfFile.KERNEL32 ref: 000000013F23B9DF
CloseHandle.KERNEL32 ref: 000000013F23B9E8
SetDlgItemTextW.USER32 ref: 000000013F23BCDE
DialogBoxParamW.USER32 ref: 000000013F23C0D7
EndDialog.USER32 ref: 000000013F23C0EF
EnableWindow.USER32 ref: 000000013F23C2A6
SendMessageW.USER32 ref: 000000013F23C2F8
ShellExecuteExW.SHELL32 ref: 000000013F23B95B

Part of subcall function 000000013F22AAE0: LoadStringW.USER32 ref: 000000013F22AB67
Part of subcall function 000000013F22AAE0: LoadStringW.USER32 ref: 000000013F22AB80

SendMessageW.USER32 ref: 000000013F23BEC3
SendDlgItemMessageW.USER32 ref: 000000013F23BEEA
GetDlgItem.USER32 ref: 000000013F23BEF8
SendMessageW.USER32 ref: 000000013F23BF12
GetDlgItem.USER32 ref: 000000013F23BF4F
SetDlgItemTextW.USER32 ref: 000000013F23BFEC
SetDlgItemTextW.USER32 ref: 000000013F23C004
SetDlgItemTextW.USER32 ref: 000000013F23C321
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F23C363
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F23C369
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F23C36F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F23C375
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F23C37B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F23C381
SendDlgItemMessageW.USER32 ref: 000000013F23C449
EndDialog.USER32 ref: 000000013F23C463
GetDlgItem.USER32 ref: 000000013F23C491
SetFocus.USER32 ref: 000000013F23C49A
SendDlgItemMessageW.USER32 ref: 000000013F23C53E
FindFirstFileW.KERNEL32 ref: 000000013F23C562
FindClose.KERNEL32 ref: 000000013F23C68A
SendDlgItemMessageW.USER32 ref: 000000013F23C7AF

Part of subcall function 000000013F21129C: Concurrency::cancel_current_task.LIBCPMT ref: 000000013F211396

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F23CAA9
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F23CAAF
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F23CAB5
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F23CABB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F23CAC1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F23CAC7

Strings

LICENSEDLG, xrefs: 000000013F23C0C9
winrarsfxmappingfile.tmp, xrefs: 000000013F23B8E0
p, xrefs: 000000013F23B7AB
runas, xrefs: 000000013F23B7C9
-el -s2 "-d%s" "-sp%s", xrefs: 000000013F23B799
%s %s, xrefs: 000000013F23C6D9, 000000013F23C946
@, xrefs: 000000013F23B7B6
__tmp_rar_sfx_access_check_, xrefs: 000000013F23B6A9
STARTDLG, xrefs: 000000013F23B1CA
REPLACEFILEDLG, xrefs: 000000013F23C3D3

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: Item$Message$_invalid_parameter_noinfo_noreturn$Send$DialogText$File$ErrorLast$CloseFindFocusLoadStringViewWindow$CommandConcurrency::cancel_current_taskCountCreateDispatchEnableExecuteFirstHandleLineMappingParamShellSleepTickTranslateUnmap
String ID: %s %s$-el -s2 "-d%s" "-sp%s"$@$LICENSEDLG$REPLACEFILEDLG$STARTDLG$__tmp_rar_sfx_access_check_$p$runas$winrarsfxmappingfile.tmp
API String ID: 255727823-2702805183
Opcode ID: 26076387c5ce1d654275ab4260335cf04eca49caa578f542daa4eea6e18d030d
Instruction ID: 43bb175f0c7b23ee780aa8fcb15aa666b8b11c5461e660f1b4ed553e6ed19bb0
Opcode Fuzzy Hash: 26076387c5ce1d654275ab4260335cf04eca49caa578f542daa4eea6e18d030d
Instruction Fuzzy Hash: 3CD28172A05B81C1EA20DB65E8553EB63A1F785790F40423EEA4957BEADF78C74AC700

Function 000000013F23CE88 Relevance: 65.0, APIs: 26, Strings: 10, Instructions: 1963windowfileCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 000000013F23D5F3
SendMessageW.USER32 ref: 000000013F23D626
SendMessageW.USER32 ref: 000000013F23D655
MoveFileW.KERNEL32 ref: 000000013F23DB4B
MoveFileExW.KERNEL32 ref: 000000013F23DB69
GetTempPathW.KERNEL32 ref: 000000013F23DC49

Part of subcall function 000000013F211FA0: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F211FFB

EndDialog.USER32 ref: 000000013F23DFCA
Concurrency::cancel_current_task.LIBCPMT ref: 000000013F23EEE3
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F23EEEF
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F23EF07
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F23EF0D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F23EF13
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F23EF19
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F23EF1F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F23EF25
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F23EF2B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F23EF31
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F23EF37
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F23EF3D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F23EF43
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F23EF49
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F23EF4F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F23EF55
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F23EF5B
Concurrency::cancel_current_task.LIBCPMT ref: 000000013F23EF67
Concurrency::cancel_current_task.LIBCPMT ref: 000000013F23EF73

Strings

MIN, xrefs: 000000013F23EAE5, 000000013F23EAF4
MAX, xrefs: 000000013F23EA82, 000000013F23EA91
@set:user, xrefs: 000000013F23DD96, 000000013F23DDA5
Software\Microsoft\Windows\CurrentVersion, xrefs: 000000013F23D501
.lnk, xrefs: 000000013F23E406, 000000013F23E415
HIDE, xrefs: 000000013F23E9E5, 000000013F23E9F4
lnk, xrefs: 000000013F23E3CA, 000000013F23E3D9
ProgramFilesDir, xrefs: 000000013F23D4F0
<br>, xrefs: 000000013F23D6DA, 000000013F23D6E9
.tmp, xrefs: 000000013F23DA85

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_task$FileMessageMoveSend$DialogItemPathTemp
String ID: .lnk$.tmp$<br>$@set:user$HIDE$MAX$MIN$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion$lnk
API String ID: 3007431893-3916287355
Opcode ID: e02ea11f63ca83b0232798bb7bc92859ef05eb5995c48a6c2f1b98aa57d00e7c
Instruction ID: 904106d94a801e7f08e4327fd4039243c721fc0e1df4546498c841fcf49df6f9
Opcode Fuzzy Hash: e02ea11f63ca83b0232798bb7bc92859ef05eb5995c48a6c2f1b98aa57d00e7c
Instruction Fuzzy Hash: 831389B2B00B84D9EB10DF64D8843DE27B1F744798F90152AEA5D57AEADF74C68AC340

Function 000000013F240754 Relevance: 45.9, APIs: 21, Strings: 5, Instructions: 380
filesleeptimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000000013F22DFD0: GetModuleHandleW.KERNEL32(?,?,?,00000000,?), ref: 000000013F22E018
Part of subcall function 000000013F22DFD0: GetProcAddress.KERNEL32(?,?,?,00000000,?), ref: 000000013F22E030
Part of subcall function 000000013F22DFD0: GetProcAddress.KERNEL32(?,?,?,00000000,?), ref: 000000013F22E05D

Part of subcall function 000000013F2262DC: GetCurrentDirectoryW.KERNEL32 ref: 000000013F2262F2
Part of subcall function 000000013F2262DC: GetCurrentDirectoryW.KERNEL32 ref: 000000013F22632C

Part of subcall function 000000013F23946C: OleInitialize.OLE32 ref: 000000013F239486
Part of subcall function 000000013F23946C: SHGetMalloc.SHELL32 ref: 000000013F2394D4

GetCommandLineW.KERNEL32 ref: 000000013F24096E
OpenFileMappingW.KERNEL32 ref: 000000013F240A07
MapViewOfFile.KERNEL32 ref: 000000013F240A30
UnmapViewOfFile.KERNEL32 ref: 000000013F240A46
MapViewOfFile.KERNEL32 ref: 000000013F240A63
UnmapViewOfFile.KERNEL32 ref: 000000013F240ACA
CloseHandle.KERNEL32 ref: 000000013F240AD3
SetEnvironmentVariableW.KERNEL32 ref: 000000013F240BAD
GetLocalTime.KERNEL32 ref: 000000013F240BB8
swprintf.LEGACY_STDIO_DEFINITIONS ref: 000000013F240C13
SetEnvironmentVariableW.KERNEL32 ref: 000000013F240C26
GetModuleHandleW.KERNEL32 ref: 000000013F240C2E
LoadIconW.USER32 ref: 000000013F240C4D
DialogBoxParamW.USER32 ref: 000000013F240CB6
Sleep.KERNEL32 ref: 000000013F240CE6
DeleteObject.GDI32 ref: 000000013F240D0D
DeleteObject.GDI32 ref: 000000013F240D1F
CloseHandle.KERNEL32 ref: 000000013F240D67
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F240DD7
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F240DDD
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F240DE3

Part of subcall function 000000013F23FD0C: SetEnvironmentVariableW.KERNEL32 ref: 000000013F23FD43
Part of subcall function 000000013F23FD0C: SetEnvironmentVariableW.KERNEL32 ref: 000000013F23FDBC

Strings

winrarsfxmappingfile.tmp, xrefs: 000000013F2409F9
sfxname, xrefs: 000000013F240B9B
STARTDLG, xrefs: 000000013F240CA5
%4d-%02d-%02d-%02d-%02d-%02d-%03d, xrefs: 000000013F240C02
sfxstime, xrefs: 000000013F240C1F

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: File$EnvironmentHandleVariableView$_invalid_parameter_noinfo_noreturn$AddressCloseCurrentDeleteDirectoryModuleObjectProcUnmap$CommandDialogIconInitializeLineLoadLocalMallocMappingOpenParamSleepTimeswprintf
String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp
API String ID: 1048086575-3710569615
Opcode ID: a8dee53382f89b6e08e422cbf5d41e0c5acc1e70b6aec1bd7dd538d57bc5f32c
Instruction ID: a015735dc8d7015e3252c138ae628f10610eea9895ddd3d8185b0c42cfb9b990
Opcode Fuzzy Hash: a8dee53382f89b6e08e422cbf5d41e0c5acc1e70b6aec1bd7dd538d57bc5f32c
Instruction Fuzzy Hash: 55129F72E10B85C1EB10DB65E8453EB7361FB85794F40423ADA9D57AAAEFB8C346C700

Function 000000013F22A4AC Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 250
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

swprintf.LEGACY_STDIO_DEFINITIONS ref: 000000013F22A504

Part of subcall function 000000013F230F68: WideCharToMultiByte.KERNEL32 ref: 000000013F230F99

SetDlgItemTextW.USER32 ref: 000000013F22A573
GetWindowRect.USER32 ref: 000000013F22A5AD
GetClientRect.USER32 ref: 000000013F22A5BB
GetWindowLongPtrW.USER32 ref: 000000013F22A66C
GetWindowRect.USER32 ref: 000000013F22A6B2
SetWindowTextW.USER32 ref: 000000013F22A6EC
GetSystemMetrics.USER32 ref: 000000013F22A6F7
GetWindow.USER32 ref: 000000013F22A708
GetWindowRect.USER32 ref: 000000013F22A746
GetWindow.USER32 ref: 000000013F22A808

Strings

CAPTION, xrefs: 000000013F22A6CF
$%s:, xrefs: 000000013F22A4EF

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWideswprintf
String ID: $%s:$CAPTION
API String ID: 2100155373-404845831
Opcode ID: 1224945cd41bf140f0dcf37f1b002595631e4f701a4b658f84a72e9da714e3d9
Instruction ID: 78a603216f7ecdd94e9e09827f9bae47a96a2aa11759ceaec0d479a4ec97312a
Opcode Fuzzy Hash: 1224945cd41bf140f0dcf37f1b002595631e4f701a4b658f84a72e9da714e3d9
Instruction Fuzzy Hash: 2691E536B14640C6EB58DF39E80479BB7A1F385B84F445529EE4A57B98CF3CDA06CB00

Function 000000013F238624 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 101
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindResourceW.KERNEL32 ref: 000000013F23863D
SizeofResource.KERNEL32 ref: 000000013F238659
LoadResource.KERNEL32 ref: 000000013F238673
LockResource.KERNEL32 ref: 000000013F238685
GlobalAlloc.KERNELBASE ref: 000000013F2386A6
GlobalLock.KERNEL32 ref: 000000013F2386BB
CreateStreamOnHGlobal.OLE32 ref: 000000013F2386E8
GdipAlloc.GDIPLUS ref: 000000013F2386FE
GdipCreateHBITMAPFromBitmap.GDIPLUS ref: 000000013F238769
GlobalUnlock.KERNEL32 ref: 000000013F23878C
GlobalFree.KERNEL32 ref: 000000013F238795

Strings

PNG, xrefs: 000000013F23862F

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: Global$Resource$AllocCreateGdipLock$BitmapFindFreeFromLoadSizeofStreamUnlock
String ID: PNG
API String ID: 211097158-364855578
Opcode ID: c8606208415c3a11eb94d5df8c8f8595ea54109f2541637b646828bce78d4013
Instruction ID: 713a960c3c88817403e8ab97eb673eb13cccf80fd34227a4b38eeacd429cb4f2
Opcode Fuzzy Hash: c8606208415c3a11eb94d5df8c8f8595ea54109f2541637b646828bce78d4013
Instruction Fuzzy Hash: 0F414276A11B45C1EF448B26D9543EAA7A1FB88BD0F044439CD0E8B7A4EF7CD64AC701

Function 000000013F21F930 Relevance: 17.2, APIs: 8, Strings: 1, Instructions: 1417COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F221239
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F22123F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F221245
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F22124B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F221251
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F221257
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F22125D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F221263

Strings

__tmp_reference_source_, xrefs: 000000013F21FCCF, 000000013F21FCDE

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: __tmp_reference_source_
API String ID: 3668304517-685763994
Opcode ID: b28ddd4369ee9d2fb9f54b960e8e8661f54215d7ba7c365575bd3731626fabcc
Instruction ID: b667ed2a80797b7080b26064a33aa657a4e2759baf9815d2aaaafaddf02b6b81
Opcode Fuzzy Hash: b28ddd4369ee9d2fb9f54b960e8e8661f54215d7ba7c365575bd3731626fabcc
Instruction Fuzzy Hash: 34E2D47AA057C0E2EAA4CB65E1403EFA7A1F781784F40413ADB9917AF6CF78D656C700

Function 000000013F214840 Relevance: 12.1, APIs: 5, Strings: 1, Instructions: 1624COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F21511E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F215124
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F21512A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F215E16
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F215E1C

Strings

CMT, xrefs: 000000013F2159B2

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: CMT
API String ID: 3668304517-2756464174
Opcode ID: 4e0d3519dbc53a17a318317a6bcad5245a825900c95476f602d2745d5873cb12
Instruction ID: 7d6bcdb6741b67e607dfe67b417c0ff105925f5c6519d0c0d2803bca9acb2df5
Opcode Fuzzy Hash: 4e0d3519dbc53a17a318317a6bcad5245a825900c95476f602d2745d5873cb12
Instruction Fuzzy Hash: 11E20A3AB00A80DAEB28DB75D5913EFA7A1F745788F44003ADB5A47B96DF78C256C304

Function 000000013F2240BC Relevance: 10.7, APIs: 7, Instructions: 153
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE ref: 000000013F22410B
FindFirstFileW.KERNEL32 ref: 000000013F22415E
GetLastError.KERNEL32 ref: 000000013F2241AF
FindNextFileW.KERNEL32 ref: 000000013F2241D7
GetLastError.KERNEL32 ref: 000000013F2241E5
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F22430F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F224315

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: FileFind$ErrorFirstLast_invalid_parameter_noinfo_noreturn$Next
String ID:
API String ID: 474548282-0
Opcode ID: 3558f315e1be10042476175db8ede7ee76fa75e1d5bd3181acd8c5a3a8ae59ff
Instruction ID: 825fdc2b761ecf795d945a20b2af699aaef03946703cec928ccdc6e6b417a6b9
Opcode Fuzzy Hash: 3558f315e1be10042476175db8ede7ee76fa75e1d5bd3181acd8c5a3a8ae59ff
Instruction Fuzzy Hash: 5F61C176A00A44D1EA50CF29E8447DE7361F795BB4F505329EABD03ADADF78C686C700

Function 000000013F215E24 Relevance: 7.6, APIs: 3, Strings: 1, Instructions: 586
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

CMT, xrefs: 000000013F2159B2, 000000013F21675B

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID:
String ID: CMT
API String ID: 0-2756464174
Opcode ID: 47cd3b120c54ed8ca83a83c160b6bdeeb0161c1da1c2dba66732434d3e775dd7
Instruction ID: b107eae7fde85b52cc3383b2289ab5561dbdf9f65d9c32fc95e98348d881e67b
Opcode Fuzzy Hash: 47cd3b120c54ed8ca83a83c160b6bdeeb0161c1da1c2dba66732434d3e775dd7
Instruction Fuzzy Hash: AB42DB3AB01680EBEB18DB74C2513EF7BA1E751388F44013ADB5A536D6DB38D66AC704

Function 000000013F242D50 Relevance: 3.0, APIs: 2, Instructions: 18COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 000000013F242D59
_invalid_parameter_noinfo.LIBCMT ref: 000000013F24CF70

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: ExceptionFilterUnhandled_invalid_parameter_noinfo
String ID:
API String ID: 59578552-0
Opcode ID: 5e8e7c2eab798a38dfb3fde06ce0d0a0e1510679a82775c568ee565f78a798df
Instruction ID: 778eab5eb7636abac359fc9019282f495614bde7d2a1d15f8dfb3b9b505f63a6
Opcode Fuzzy Hash: 5e8e7c2eab798a38dfb3fde06ce0d0a0e1510679a82775c568ee565f78a798df
Instruction Fuzzy Hash: 7DE0C230E45040C6F61C337908423EF14B05B45320F62023EE22D513C3CBECC7876A52

Function 000000013F231F20 Relevance: .3, Instructions: 337COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f290487e5a667d54cc41a5d187d2fad0533435d196c5144e63478bd963f0733
Instruction ID: dc16a824384dbb22677a40a58295d09e61aa1e88833e093eeff6813c9879057f
Opcode Fuzzy Hash: 4f290487e5a667d54cc41a5d187d2fad0533435d196c5144e63478bd963f0733
Instruction Fuzzy Hash: 37E1F3B2A052C0CAEB64CF29A444BEE7B91F745748F15417FDB8A8B789DB38D642C704

Function 000000013F233484 Relevance: .3, Instructions: 302COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c3f9089be966249862bf56ce032710d6eb03eb50aa34be6e58aa05575d530c2
Instruction ID: 3abd42ff8c3726582c440720362dd32b9e99902cb40c02014b8f5ffe3db5d50d
Opcode Fuzzy Hash: 8c3f9089be966249862bf56ce032710d6eb03eb50aa34be6e58aa05575d530c2
Instruction Fuzzy Hash: 96B1AFF2B01AD896EE58CA66D508BDA6391F345FC4F48803BDE5D0B745DB38EA56C301

Function 000000013F224928 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: Create$CriticalEventInitializeSectionSemaphore
String ID:
API String ID: 3340455307-0
Opcode ID: 351ceed20d24346c920f2b33a82c7c15764e1b5f9a2ac08ee0b3c21e451927ce
Instruction ID: 74b1b6110ff05b908901608f36c8412163923aabc2a6fa031affd9dae0a86e14
Opcode Fuzzy Hash: 351ceed20d24346c920f2b33a82c7c15764e1b5f9a2ac08ee0b3c21e451927ce
Instruction Fuzzy Hash: AD411636B11A94D6FBA8DF26E951B9B2252F3C4B88F1440389E4E0B796DB38D647C704

Function 000000013F22DFD0 Relevance: 143.9, APIs: 16, Strings: 66, Instructions: 440
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(?,?,?,00000000,?), ref: 000000013F22E018
GetProcAddress.KERNEL32(?,?,?,00000000,?), ref: 000000013F22E030
GetProcAddress.KERNEL32(?,?,?,00000000,?), ref: 000000013F22E05D
CreateFileW.KERNEL32 ref: 000000013F22E3F0
SetFilePointer.KERNEL32 ref: 000000013F22E40E
ReadFile.KERNEL32 ref: 000000013F22E436

Part of subcall function 000000013F22DFD0: GetSystemDirectoryW.KERNEL32 ref: 000000013F22DDDF

CompareStringW.KERNELBASE ref: 000000013F22E559
CloseHandle.KERNEL32 ref: 000000013F22E4F3

Part of subcall function 000000013F211FA0: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F211FFB

Part of subcall function 000000013F2251A4: GetVersionExW.KERNEL32 ref: 000000013F2251D5

Part of subcall function 000000013F22DFD0: LoadLibraryW.KERNEL32 ref: 000000013F22DEFF
Part of subcall function 000000013F22DFD0: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F22DFB5
Part of subcall function 000000013F22DFD0: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F22DFBB
Part of subcall function 000000013F22DFD0: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F22DFC1
Part of subcall function 000000013F22DFD0: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F22DFC7

AllocConsole.KERNEL32 ref: 000000013F22E74B
GetCurrentProcessId.KERNEL32(?,?,?,00000000,?), ref: 000000013F22E755
AttachConsole.KERNEL32 ref: 000000013F22E75D
GetStdHandle.KERNEL32(?,?,?,00000000,?), ref: 000000013F22E780
WriteConsoleW.KERNEL32 ref: 000000013F22E799
Sleep.KERNEL32(?,?,?,00000000,?), ref: 000000013F22E7A4
FreeConsole.KERNEL32 ref: 000000013F22E7AA
ExitProcess.KERNEL32 ref: 000000013F22E7BB

Strings

secur32.dll, xrefs: 000000013F22E1CD
wintrust.dll, xrefs: 000000013F22E1B1
dhcpcsvc.dll, xrefs: 000000013F22E32B
aclui.dll, xrefs: 000000013F22E371
cryptsp.dll, xrefs: 000000013F22E355
apphelp.dll, xrefs: 000000013F22E14F
WindowsCodecs.dll, xrefs: 000000013F22E213
ieframe.dll, xrefs: 000000013F22E120
mpr.dll, xrefs: 000000013F22E291
SetDllDirectoryW, xrefs: 000000013F22E026
SSPICLI.DLL, xrefs: 000000013F22E09C
RpcRtRemote.dll, xrefs: 000000013F22E363
usp10.dll, xrefs: 000000013F22E0DE
dfscli.dll, xrefs: 000000013F22E2F3
SetDefaultDllDirectories, xrefs: 000000013F22E053
DXGIDebug.dll, xrefs: 000000013F22E086, 000000013F22E5B6
setupapi.dll, xrefs: 000000013F22E141
sfc_os.dll, xrefs: 000000013F22E091
userenv.dll, xrefs: 000000013F22E15D
dnsapi.DLL, xrefs: 000000013F22E259
UXTheme.dll, xrefs: 000000013F22E0B2
peerdist.dll, xrefs: 000000013F22E38D
rsaenh.dll, xrefs: 000000013F22E0A7
uxtheme.dll, xrefs: 000000013F22E66D
mlang.dll, xrefs: 000000013F22E2BB
clbcatq.dll, xrefs: 000000013F22E0E9
comres.dll, xrefs: 000000013F22E0F4
samlib.dll, xrefs: 000000013F22E2D7
cscapi.dll, xrefs: 000000013F22E22F
cryptui.dll, xrefs: 000000013F22E1A3
linkinfo.dll, xrefs: 000000013F22E347
ws2help.dll, xrefs: 000000013F22E10A
XmlLite.dll, xrefs: 000000013F22E339
netutils.dll, xrefs: 000000013F22E283
kernel32, xrefs: 000000013F22E011
psapi.dll, xrefs: 000000013F22E115
propsys.dll, xrefs: 000000013F22E2AD
cryptbase.dll, xrefs: 000000013F22E0C8
dwmapi.dll, xrefs: 000000013F22E0BD, 000000013F22E661
ntshrui.dll, xrefs: 000000013F22E12B
browcli.dll, xrefs: 000000013F22E301
oleaccrc.dll, xrefs: 000000013F22E1E9
imageres.dll, xrefs: 000000013F22E24B
srvcli.dll, xrefs: 000000013F22E221
samcli.dll, xrefs: 000000013F22E2C9
iphlpapi.DLL, xrefs: 000000013F22E267
Please remove %s from %s folder. It is unsecure to run %s until it is done., xrefs: 000000013F22E73B
cabinet.dll, xrefs: 000000013F22E1DB
devrtl.dll, xrefs: 000000013F22E29F
dhcpcsvc6.dll, xrefs: 000000013F22E31D
netapi32.dll, xrefs: 000000013F22E16B
profapi.dll, xrefs: 000000013F22E205
shdocvw.dll, xrefs: 000000013F22E179
crypt32.dll, xrefs: 000000013F22E187
lpk.dll, xrefs: 000000013F22E0D3
ntmarta.dll, xrefs: 000000013F22E1F7
dsrole.dll, xrefs: 000000013F22E37F
WINNSI.DLL, xrefs: 000000013F22E275
shell32.dll, xrefs: 000000013F22E1BF
version.dll, xrefs: 000000013F22E07B
ws2_32.dll, xrefs: 000000013F22E0FF
rasadhlp.dll, xrefs: 000000013F22E30F
wkscli.dll, xrefs: 000000013F22E2E5
slc.dll, xrefs: 000000013F22E23D
atl.dll, xrefs: 000000013F22E136
msasn1.dll, xrefs: 000000013F22E195

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Console$FileHandle$AddressProcProcess$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadModulePointerReadSleepStringSystemVersionWrite
String ID: DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$RpcRtRemote.dll$SSPICLI.DLL$SetDefaultDllDirectories$SetDllDirectoryW$UXTheme.dll$WINNSI.DLL$WindowsCodecs.dll$XmlLite.dll$aclui.dll$apphelp.dll$atl.dll$browcli.dll$cabinet.dll$clbcatq.dll$comres.dll$crypt32.dll$cryptbase.dll$cryptsp.dll$cryptui.dll$cscapi.dll$devrtl.dll$dfscli.dll$dhcpcsvc.dll$dhcpcsvc6.dll$dnsapi.DLL$dsrole.dll$dwmapi.dll$ieframe.dll$imageres.dll$iphlpapi.DLL$kernel32$linkinfo.dll$lpk.dll$mlang.dll$mpr.dll$msasn1.dll$netapi32.dll$netutils.dll$ntmarta.dll$ntshrui.dll$oleaccrc.dll$peerdist.dll$profapi.dll$propsys.dll$psapi.dll$rasadhlp.dll$rsaenh.dll$samcli.dll$samlib.dll$secur32.dll$setupapi.dll$sfc_os.dll$shdocvw.dll$shell32.dll$slc.dll$srvcli.dll$userenv.dll$usp10.dll$uxtheme.dll$version.dll$wintrust.dll$wkscli.dll$ws2_32.dll$ws2help.dll
API String ID: 1496594111-2013832382
Opcode ID: 468c4a7f069b7598ff125167d5f4f846522f64d48354b40e84144950afa66450
Instruction ID: 511aaeec50d24f3ec65772f1c51928cc59e220e7cb2535c22abab748c1fc6b55
Opcode Fuzzy Hash: 468c4a7f069b7598ff125167d5f4f846522f64d48354b40e84144950afa66450
Instruction Fuzzy Hash: A7322C35A01F80E9EB619F65E8443DA73A4FB48354F90023ADA8E577A5EF78C756C340

Function 000000013F2298DC Relevance: 25.2, APIs: 3, Strings: 11, Instructions: 702COMMON

Download Yara Rule

APIs

Part of subcall function 000000013F228E58: Concurrency::cancel_current_task.LIBCPMT ref: 000000013F228F8D

_snwprintf.LEGACY_STDIO_DEFINITIONS ref: 000000013F229F75
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F22A42F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F22A435

Part of subcall function 000000013F230BBC: MultiByteToWideChar.KERNEL32 ref: 000000013F230BE9

Strings

STRINGS, xrefs: 000000013F229DC1
@%s:, xrefs: 000000013F229F57
,, xrefs: 000000013F229FAA
MENU, xrefs: 000000013F229DD9
DIALOG, xrefs: 000000013F229DCD
DIRECTION, xrefs: 000000013F229DE5
, xrefs: 000000013F229DF9
*messages***, xrefs: 000000013F229BC6
*messages***, xrefs: 000000013F229C04
RTL, xrefs: 000000013F229F2E
$%s:, xrefs: 000000013F229F50

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$ByteCharConcurrency::cancel_current_taskMultiWide_snwprintf
String ID: $ ,$$%s:$*messages***$*messages***$@%s:$DIALOG$DIRECTION$MENU$RTL$STRINGS
API String ID: 3629253777-3268106645
Opcode ID: 15c8a0442dfdb0da6b8bb8c321e22356c09d03479809fd76414af841d758a6b1
Instruction ID: 194346c3f998a4829220af4ba09e2dbf30658090048ad32e79879fb28220d64c
Opcode Fuzzy Hash: 15c8a0442dfdb0da6b8bb8c321e22356c09d03479809fd76414af841d758a6b1
Instruction Fuzzy Hash: 5762DE36A11B80E5EBA0DF29C4883EF7361F740788F81413ADA5A47AD5EB39CB46C740

Function 000000013F241900 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 195
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000000013F241558: DloadProtectSection.DELAYIMP ref: 000000013F2415C9

RaiseException.KERNEL32 ref: 000000013F2419A7
DloadReleaseSectionWriteAccess.DELAYIMP ref: 000000013F241993

Part of subcall function 000000013F241868: DloadProtectSection.DELAYIMP ref: 000000013F2418C7

LoadLibraryExA.KERNELBASE ref: 000000013F241A46
GetLastError.KERNEL32 ref: 000000013F241A54
DloadReleaseSectionWriteAccess.DELAYIMP ref: 000000013F241A86
RaiseException.KERNEL32 ref: 000000013F241A9A

Strings

H, xrefs: 000000013F241974

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: DloadSection$AccessExceptionProtectRaiseReleaseWrite$ErrorLastLibraryLoad
String ID: H
API String ID: 3432403771-2852464175
Opcode ID: cf3fc932a6b7fb7fc9ef8320b4dd67bfc8d7ec91281715f792326570f1d4a57f
Instruction ID: 07ba20b0da98b56770c8d5223115f341ecae21ae3722028525545bd4418af615
Opcode Fuzzy Hash: cf3fc932a6b7fb7fc9ef8320b4dd67bfc8d7ec91281715f792326570f1d4a57f
Instruction Fuzzy Hash: C4913732A01B54CAEB11CFA6D9447EE73B1BB08B98F494539DE0A27B54EBB4D646C300

Function 000000013F23F4E0 Relevance: 17.8, APIs: 6, Strings: 4, Instructions: 285
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ShellExecuteExW.SHELL32 ref: 000000013F23F747
ShowWindow.USER32 ref: 000000013F23F786
GetExitCodeProcess.KERNEL32 ref: 000000013F23F7BD
CloseHandle.KERNEL32 ref: 000000013F23F7E7
ShowWindow.USER32 ref: 000000013F23F83F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F23F8FB

Strings

.exe, xrefs: 000000013F23F7F2
Install, xrefs: 000000013F23F684
p, xrefs: 000000013F23F529
.inf, xrefs: 000000013F23F675

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: ShowWindow$CloseCodeExecuteExitHandleProcessShell_invalid_parameter_noinfo_noreturn
String ID: .exe$.inf$Install$p
API String ID: 1054546013-3607691742
Opcode ID: e6df9d24348bb93514fb480ea1be33c8dcd4460610e8708733d7670b1b277d8e
Instruction ID: 388a5ae9e02ddf60586d52dd17dcc74ec70dd14134b025b47f08b230603cfc9e
Opcode Fuzzy Hash: e6df9d24348bb93514fb480ea1be33c8dcd4460610e8708733d7670b1b277d8e
Instruction Fuzzy Hash: E8C170B2F14A00D5FB18CB65E9443EF27B1EB89B84F04413ADE4947BA5DB78CA56C700

Function 000000013F23F0A4 Relevance: 16.6, APIs: 11, Instructions: 102
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000000013F23AE1C: PeekMessageW.USER32 ref: 000000013F23AE32
Part of subcall function 000000013F23AE1C: GetMessageW.USER32 ref: 000000013F23AE49
Part of subcall function 000000013F23AE1C: IsDialogMessageW.USER32 ref: 000000013F23AE60
Part of subcall function 000000013F23AE1C: TranslateMessage.USER32 ref: 000000013F23AE6F
Part of subcall function 000000013F23AE1C: DispatchMessageW.USER32 ref: 000000013F23AE7A

GetDlgItem.USER32 ref: 000000013F23F0E3
ShowWindow.USER32 ref: 000000013F23F109
SendMessageW.USER32 ref: 000000013F23F11E
SendMessageW.USER32 ref: 000000013F23F136
SendMessageW.USER32 ref: 000000013F23F157
SendMessageW.USER32 ref: 000000013F23F173
SendMessageW.USER32 ref: 000000013F23F1B6
SendMessageW.USER32 ref: 000000013F23F1D4
SendMessageW.USER32 ref: 000000013F23F1E8
SendMessageW.USER32 ref: 000000013F23F212
SendMessageW.USER32 ref: 000000013F23F22A

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
String ID:
API String ID: 3569833718-0
Opcode ID: c58ef51af4c11ae469b78d40ba7290d4e9656f32b0895ce54e4debee0d1a06d9
Instruction ID: 4a0090991b9f6eaf37f83e80db7d613eacfbcd000bb56e43c29fa4c0c386ed2d
Opcode Fuzzy Hash: c58ef51af4c11ae469b78d40ba7290d4e9656f32b0895ce54e4debee0d1a06d9
Instruction Fuzzy Hash: 9F416C71B10A50C6F7109F61E814BDB2760E389B98F44113ADD0A1BB9ACF7DC64A8764

Function 000000013F21EF10 Relevance: 11.0, APIs: 7, Instructions: 453COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F21F542
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F21F548
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F21F554
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F21F55A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F21F560
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F21F56C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F21F572

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: 0144bcc994d84486ee27bbb6ec5de5de067ba5895e62caa73601afb15b6542e9
Instruction ID: a126db3dcdb837304e2dac9901cedd0281be7fd641d5edbfe67500a356ea6c06
Opcode Fuzzy Hash: 0144bcc994d84486ee27bbb6ec5de5de067ba5895e62caa73601afb15b6542e9
Instruction Fuzzy Hash: 7C12AD76F04B40C5EB10DB65D4443DE6372E7857A8F50022ADE6D27AEADB78C68BC344

Function 000000013F2472EC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(?,?,00000000,000000013F2474F3,?,?,?,000000013F24525E,?,?,?,000000013F245219), ref: 000000013F247371
GetLastError.KERNEL32(?,?,00000000,000000013F2474F3,?,?,?,000000013F24525E,?,?,?,000000013F245219), ref: 000000013F24737F
LoadLibraryExW.KERNEL32(?,?,00000000,000000013F2474F3,?,?,?,000000013F24525E,?,?,?,000000013F245219), ref: 000000013F2473A9
FreeLibrary.KERNEL32(?,?,00000000,000000013F2474F3,?,?,?,000000013F24525E,?,?,?,000000013F245219), ref: 000000013F2473EF
GetProcAddress.KERNEL32(?,?,00000000,000000013F2474F3,?,?,?,000000013F24525E,?,?,?,000000013F245219), ref: 000000013F2473FB

Strings

api-ms-, xrefs: 000000013F247391

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: eedfc97f7024c66fbeb39a7219499b253e22696fd1fdab2c5f769bf1fd383016
Instruction ID: cdc95da24b7a5553c5f6776f9f15af93b1c86f4efbaf31f38a66f5ffc3b071ef
Opcode Fuzzy Hash: eedfc97f7024c66fbeb39a7219499b253e22696fd1fdab2c5f769bf1fd383016
Instruction Fuzzy Hash: 9C31C331A12A40C2EE12EB16A8047E767A4F748BA4F59453DDD2E6B394DFBCC2468710

Function 000000013F2224C0 Relevance: 9.2, APIs: 6, Instructions: 164
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE ref: 000000013F22259B
GetLastError.KERNEL32 ref: 000000013F2225AE
CreateFileW.KERNEL32 ref: 000000013F22260E
GetLastError.KERNEL32 ref: 000000013F222617
SetFileTime.KERNEL32 ref: 000000013F2226C9
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F222736

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: File$CreateErrorLast$Time_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3536497005-0
Opcode ID: c90d99a879dbc59780aaf31344be960bf5048a79d4b9b92666a592f6816938e3
Instruction ID: 724558d01f8ec599652ca0619381d09336485435a0aa4585d391286d11caef4f
Opcode Fuzzy Hash: c90d99a879dbc59780aaf31344be960bf5048a79d4b9b92666a592f6816938e3
Instruction Fuzzy Hash: 2E61E576A10784D5F7608B29E5043AF67B1F3857A8F101328DFAA07AD8DB7AC25AC744

Function 000000013F23B014 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 54
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadBitmapW.USER32 ref: 000000013F23B02A
GetObjectW.GDI32 ref: 000000013F23B05B
DeleteObject.GDI32 ref: 000000013F23B095
DeleteObject.GDI32 ref: 000000013F23B0C5

Part of subcall function 000000013F238624: FindResourceW.KERNEL32 ref: 000000013F23863D
Part of subcall function 000000013F238624: SizeofResource.KERNEL32 ref: 000000013F238659
Part of subcall function 000000013F238624: LoadResource.KERNEL32 ref: 000000013F238673
Part of subcall function 000000013F238624: LockResource.KERNEL32 ref: 000000013F238685
Part of subcall function 000000013F238624: GlobalAlloc.KERNELBASE ref: 000000013F2386A6
Part of subcall function 000000013F238624: GlobalLock.KERNEL32 ref: 000000013F2386BB
Part of subcall function 000000013F238624: CreateStreamOnHGlobal.OLE32 ref: 000000013F2386E8
Part of subcall function 000000013F238624: GdipAlloc.GDIPLUS ref: 000000013F2386FE
Part of subcall function 000000013F238624: GdipCreateHBITMAPFromBitmap.GDIPLUS ref: 000000013F238769
Part of subcall function 000000013F238624: GlobalUnlock.KERNEL32 ref: 000000013F23878C
Part of subcall function 000000013F238624: GlobalFree.KERNEL32 ref: 000000013F238795

Strings

], xrefs: 000000013F23B063

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: Global$Resource$Object$AllocBitmapCreateDeleteGdipLoadLock$FindFreeFromSizeofStreamUnlock
String ID: ]
API String ID: 3561356813-3352871620
Opcode ID: 2f79d63664e457f963bfbd157e1c525b341384e02eb8e860e1f42d2dee528bbf
Instruction ID: 36be73889ecd5954d2b385cb9ade766eef80e41842614481baf022e3ea93e812
Opcode Fuzzy Hash: 2f79d63664e457f963bfbd157e1c525b341384e02eb8e860e1f42d2dee528bbf
Instruction Fuzzy Hash: FF115B71B05744C2FA64DB2196553EB53A1EB89BC4F08003D9D5D0BB96DF3DDB0A8701

Function 000000013F24F414 Relevance: 7.6, APIs: 5, Instructions: 114
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32 ref: 000000013F24F536

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: d8da239e760e4119be076ce5ae60c5d71a4e7276355522d8061e2664917ecd9d
Instruction ID: 272e27605ed2a9e7e40b544be9d2c69746fa82b721b72b6d2236a18bc50b2005
Opcode Fuzzy Hash: d8da239e760e4119be076ce5ae60c5d71a4e7276355522d8061e2664917ecd9d
Instruction Fuzzy Hash: 9A41CA72B11A40C2FE159F12A9047F763A5B794BE0F19453DEE2A5B754EFB8C6428340

Function 000000013F23AE1C Relevance: 7.5, APIs: 5, Instructions: 27
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PeekMessageW.USER32 ref: 000000013F23AE32
GetMessageW.USER32 ref: 000000013F23AE49
IsDialogMessageW.USER32 ref: 000000013F23AE60
TranslateMessage.USER32 ref: 000000013F23AE6F
DispatchMessageW.USER32 ref: 000000013F23AE7A

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: Message$DialogDispatchPeekTranslate
String ID:
API String ID: 1266772231-0
Opcode ID: 8f901ab8bb575df3ccfb48a5cb3294f091b017f84468599a2020223c8e70b7dc
Instruction ID: 048c8b9f367fe900559c1cc1bc842a2b68a22fc18c41dd3c6704114551343b63
Opcode Fuzzy Hash: 8f901ab8bb575df3ccfb48a5cb3294f091b017f84468599a2020223c8e70b7dc
Instruction Fuzzy Hash: 31F01235B34940C2FB50DB25E896BAB2361FBD0B05F805439E54A41855DF3CC60ECB10

Function 000000013F2391E8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetClassNameW.USER32 ref: 000000013F239211
SHAutoComplete.SHLWAPI ref: 000000013F239255

Part of subcall function 000000013F2313C4: CompareStringW.KERNEL32 ref: 000000013F2313E3

FindWindowExW.USER32 ref: 000000013F23923F

Strings

EDIT, xrefs: 000000013F23921B, 000000013F239233

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: AutoClassCompareCompleteFindNameStringWindow
String ID: EDIT
API String ID: 4243998846-3080729518
Opcode ID: 5198dd27efd6ef2cfe81d4e1a42d30dc263c523227a297f5f4c02164b2b5e029
Instruction ID: 5e93abbc57235224d4159296a91cbf3d379c1f8c0412f19d82e19f6e323711a5
Opcode Fuzzy Hash: 5198dd27efd6ef2cfe81d4e1a42d30dc263c523227a297f5f4c02164b2b5e029
Instruction Fuzzy Hash: 62013171B11E82C1FA209B22E8157D763A1AB9A744F84103A4D4E4AA95DF2CC74EC650

Function 000000013F222CE0 Relevance: 6.1, APIs: 4, Instructions: 136fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000013F228C9A), ref: 000000013F222D22
WriteFile.KERNEL32 ref: 000000013F222D6C
WriteFile.KERNELBASE ref: 000000013F222D9A

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: FileWrite$Handle
String ID:
API String ID: 4209713984-0
Opcode ID: 6cd78db48ad0d9b226c97101cb61b208fe2fcd81b3a9cbf8e3f9182465f50604
Instruction ID: bc4aa03311ba8468bea74ccf3b047622f80d825fe9a42ab67a0c03d408808419
Opcode Fuzzy Hash: 6cd78db48ad0d9b226c97101cb61b208fe2fcd81b3a9cbf8e3f9182465f50604
Instruction Fuzzy Hash: 14510336B11A48E2FB90CB65D9447EB6360F784B90F54013DAE4A47AE4DFB9C68AC700

Function 000000013F2403E0 Relevance: 6.1, APIs: 4, Instructions: 123COMMON

Download Yara Rule

APIs

SetDlgItemTextW.USER32 ref: 000000013F240556
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F2405C1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F2405C7
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F2405CD

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$ItemText
String ID:
API String ID: 3750147219-0
Opcode ID: 37944a8cf501712dba7b7552f49b5fdb5cf8609680ceced34cad6b817c0b05d3
Instruction ID: a03e13fee570c04a5cfa87ca321b1ac60ac10d452b41d3dca0b3814cf1b2be1f
Opcode Fuzzy Hash: 37944a8cf501712dba7b7552f49b5fdb5cf8609680ceced34cad6b817c0b05d3
Instruction Fuzzy Hash: 44515272F10A50C5FB00DBA5D8453DE2372F785BA4F500639DE6D26BE6DBA4C682C744

Function 000000013F223684 Relevance: 6.1, APIs: 4, Instructions: 94COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,?,?,?,?,?,?,00000000,?,000000013F22309D), ref: 000000013F2236CE
CreateDirectoryW.KERNEL32 ref: 000000013F223733
GetLastError.KERNEL32(?,?,?,?,?,?,?,00000000,?,000000013F22309D), ref: 000000013F223791
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F2237CE

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: CreateDirectory$ErrorLast_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2359106489-0
Opcode ID: ac7929ab680600a75a05425a8dcfbf923b8573e4052e4e1cf8798639435a1a0e
Instruction ID: 92476f30cabc342057e0bd2f68b6dfdb6e8d2543daba6625a79dbe99de76d38c
Opcode Fuzzy Hash: ac7929ab680600a75a05425a8dcfbf923b8573e4052e4e1cf8798639435a1a0e
Instruction Fuzzy Hash: 0031163AA04780D1FFA09B25A4447EF63A1F7887A0F500239EE99477D5DF78CE478601

Function 000000013F242D6C Relevance: 6.1, APIs: 4, Instructions: 94COMMON

Download Yara Rule

APIs

__scrt_initialize_crt.LIBCMT ref: 000000013F242D7B

Part of subcall function 000000013F2427FC: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 000000013F24281E

__scrt_acquire_startup_lock.LIBCMT ref: 000000013F242D90
__scrt_release_startup_lock.LIBCMT ref: 000000013F242DFE
__scrt_get_show_window_mode.LIBCMT ref: 000000013F242E51

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_initialize_crt__scrt_release_startup_lock
String ID:
API String ID: 1452418845-0
Opcode ID: f380b52e8f95e6a0f24ce785192d8cb773bc143ddf3d62aee805abe4fb8ed354
Instruction ID: 361d715a141413ce5e6ab3038a0a524374e666cb6f5504ccd2bce9e73d9fbafc
Opcode Fuzzy Hash: f380b52e8f95e6a0f24ce785192d8cb773bc143ddf3d62aee805abe4fb8ed354
Instruction Fuzzy Hash: 9D315E31F41200C2FB54EBA6D5163EB23B1AB41384F45143CAA4A6B2E7DEE8DB47C255

Function 000000013F222320 Relevance: 6.1, APIs: 4, Instructions: 58fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(?,?,?,?,00000000,000000013F222927,?,00100000,?,00000001,00000000,00000000,?,000000013F2214C1), ref: 000000013F222348
ReadFile.KERNELBASE ref: 000000013F222367
GetLastError.KERNEL32 ref: 000000013F22239B
GetLastError.KERNEL32 ref: 000000013F2223BA

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: ErrorLast$FileHandleRead
String ID:
API String ID: 2244327787-0
Opcode ID: 5dece825d5be91adec6864fa12bb564f4e3b5809c08bfde6ef0babe01e3581d0
Instruction ID: 0402c7405da7a340a7cba114cbf434fb6a0193a73cfed98fbfc688c78466c79a
Opcode Fuzzy Hash: 5dece825d5be91adec6864fa12bb564f4e3b5809c08bfde6ef0babe01e3581d0
Instruction Fuzzy Hash: C421D535E04648D1FAA09F21E4843EFA3A0F345B94F144578EE994B7C8CB7ECA878711

Function 000000013F22E948 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 000000013F22ECD8: ResetEvent.KERNEL32 ref: 000000013F22ECF1
Part of subcall function 000000013F22ECD8: ReleaseSemaphore.KERNEL32 ref: 000000013F22ED07

ReleaseSemaphore.KERNEL32 ref: 000000013F22E974
CloseHandle.KERNELBASE ref: 000000013F22E993
DeleteCriticalSection.KERNEL32 ref: 000000013F22E9AA
CloseHandle.KERNEL32 ref: 000000013F22E9B7

Part of subcall function 000000013F22EA5C: WaitForSingleObject.KERNEL32(?,?,?,?,?,?,?,?,000000013F22E95F,?,?,?,000000013F22463A,?,?,?), ref: 000000013F22EA63
Part of subcall function 000000013F22EA5C: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,000000013F22E95F,?,?,?,000000013F22463A,?,?,?), ref: 000000013F22EA6E

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: CloseHandleReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
String ID:
API String ID: 502429940-0
Opcode ID: 7c4c69b688bb09167c3d8ec6f4195a818a409db0987586a56ae23aa503e7e0cd
Instruction ID: 545fd3685003e8e602d55183e1742052748b0ce32f4b4b9336277db7e5ebba29
Opcode Fuzzy Hash: 7c4c69b688bb09167c3d8ec6f4195a818a409db0987586a56ae23aa503e7e0cd
Instruction Fuzzy Hash: E4010036A15E94E2E648DB21E6453DEB331F788BD0F004025DB6E03665CF75D5B6C740

Function 000000013F22EAA4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE ref: 000000013F22EAE0
SetThreadPriority.KERNEL32 ref: 000000013F22EB36

Strings

CreateThread failed, xrefs: 000000013F22EAEE

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: Thread$CreatePriority
String ID: CreateThread failed
API String ID: 2610526550-3849766595
Opcode ID: cf4f3858e1c5421656891f758a667cd72a6f2059ba57d4f8d940dbc9b5e0f540
Instruction ID: b30afd5a5a1cf2b745c8ea61ceb9c0a5cebb6698072d2b301da289a51ef5bd34
Opcode Fuzzy Hash: cf4f3858e1c5421656891f758a667cd72a6f2059ba57d4f8d940dbc9b5e0f540
Instruction Fuzzy Hash: 3B114C36A00A40D1EB50DB20E9513DBB370F798B94F548239EA4A46669DF78C68BC740

Function 000000013F23946C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26comCOMMON

Download Yara Rule

APIs

Part of subcall function 000000013F22DFD0: GetSystemDirectoryW.KERNEL32 ref: 000000013F22DDDF

OleInitialize.OLE32 ref: 000000013F239486
SHGetMalloc.SHELL32 ref: 000000013F2394D4

Strings

riched20.dll, xrefs: 000000013F239475

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: DirectoryInitializeMallocSystem
String ID: riched20.dll
API String ID: 174490985-3360196438
Opcode ID: b1936b3f38021c99ecd6522b050f6163774a90ef7a51b133bb98bdb322c125e4
Instruction ID: e4d5b5b0d88370ff3b01825ea12443268d9bf32e69431271599ba84c3c9a8e80
Opcode Fuzzy Hash: b1936b3f38021c99ecd6522b050f6163774a90ef7a51b133bb98bdb322c125e4
Instruction Fuzzy Hash: 1DF04F71614A80C2EB409F60F41539BB7A0FB98754F800139EA8E86B55DF7CC24ECB10

Function 000000013F24EF5C Relevance: 4.7, APIs: 3, Instructions: 238COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 000000013F24EFE3
MultiByteToWideChar.KERNEL32 ref: 000000013F24F0A8
WideCharToMultiByte.KERNEL32 ref: 000000013F24F238

Part of subcall function 000000013F24D94C: RtlAllocateHeap.NTDLL ref: 000000013F24D98A

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeap
String ID:
API String ID: 2584219951-0
Opcode ID: 2257e0b6f8e0a972416a043cca1dd440209c131bba8554c2344489417849a289
Instruction ID: 57c2caca78ede6bc1803802d8a5ba8ddf077db0fe6cee99870772b8c2cd742e9
Opcode Fuzzy Hash: 2257e0b6f8e0a972416a043cca1dd440209c131bba8554c2344489417849a289
Instruction Fuzzy Hash: 04A1BF72B10B45C6FB24CF61D4503EA62E1F784BA8F444239AA5D57BC8EBBCC6468700

Function 000000013F23095C Relevance: 4.7, APIs: 3, Instructions: 152windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000000013F23853C: GlobalMemoryStatusEx.KERNEL32 ref: 000000013F23856C

Part of subcall function 000000013F22AAE0: LoadStringW.USER32 ref: 000000013F22AB67
Part of subcall function 000000013F22AAE0: LoadStringW.USER32 ref: 000000013F22AB80

Part of subcall function 000000013F211FA0: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F211FFB

Part of subcall function 000000013F21129C: Concurrency::cancel_current_task.LIBCPMT ref: 000000013F211396

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F2401BB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F2401C1
SendDlgItemMessageW.USER32 ref: 000000013F2401F2

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$LoadString$Concurrency::cancel_current_taskGlobalItemMemoryMessageSendStatus
String ID:
API String ID: 3106221260-0
Opcode ID: b44ab40ada4fdf7cdbcaa15f8daeace4536de695359eeab31afda72367bc6ece
Instruction ID: e013371949b4ddce1bf0e09bb82cae54d5e2d66d60e9ef6660f9affa1e336539
Opcode Fuzzy Hash: b44ab40ada4fdf7cdbcaa15f8daeace4536de695359eeab31afda72367bc6ece
Instruction Fuzzy Hash: 9651AE72F01A40D6FB10DBA5D4553EE2372A789B88F41023ADE1D6BBDADE78C642C740

Function 000000013F222134 Relevance: 4.6, APIs: 3, Instructions: 114fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE ref: 000000013F2221CF
CreateFileW.KERNEL32 ref: 000000013F22223C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F2222D8

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: CreateFile$_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2272807158-0
Opcode ID: 4deb08ca3be5073a72b2bd7db4a08fd3c34f80865c8b8240031b88655e7f576e
Instruction ID: 551e1416ccc607c44a244d1a13a63be859df2898246ad85ff543664302db1d9b
Opcode Fuzzy Hash: 4deb08ca3be5073a72b2bd7db4a08fd3c34f80865c8b8240031b88655e7f576e
Instruction Fuzzy Hash: E741C277A10788D2FB608F15E44479A77A1F384BB4F505328EFA907AD9CB79C596C700

Function 000000013F2123F8 Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32 ref: 000000013F21243E
GetWindowTextW.USER32 ref: 000000013F212476
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F212505

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: TextWindow$Length_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2176759853-0
Opcode ID: edbdae515b0ac00df6a361e0ea4ef83759fb05d05b990204e34ba692badc1145
Instruction ID: cbb5b8c19017810d7e6cd42f460e1b9a701e8eb3fb2a5e09c47af9d797d9d5a1
Opcode Fuzzy Hash: edbdae515b0ac00df6a361e0ea4ef83759fb05d05b990204e34ba692badc1145
Instruction Fuzzy Hash: 63217172A14B84C1EA148B65A4403ABA364F789BD0F145229EB9D13B99DF7CC292C744

Function 000000013F231F94 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

std::bad_alloc::bad_alloc.LIBCMT ref: 000000013F23205B
std::bad_alloc::bad_alloc.LIBCMT ref: 000000013F232077
std::bad_alloc::bad_alloc.LIBCMT ref: 000000013F232093

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: std::bad_alloc::bad_alloc
String ID:
API String ID: 1875163511-0
Opcode ID: 65d8091f10f06cce83768fe095ce433e052fa83f4fe25a8c85fad3cbd40ccd0d
Instruction ID: 9fd45ac38322e05f9616e5318d2f0ffde0b8677eae21850b246ecfe853ccca86
Opcode Fuzzy Hash: 65d8091f10f06cce83768fe095ce433e052fa83f4fe25a8c85fad3cbd40ccd0d
Instruction Fuzzy Hash: 2E3152B2E05A84D2FB249B14E4443EF63B0F750B84F54443AA68C16AE9DFB8CB5BC701

Function 000000013F223D34 Relevance: 4.6, APIs: 3, Instructions: 62COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,?,?,?,?,?,00000000,00000001,?,000000013F2307E1), ref: 000000013F223D5E
SetFileAttributesW.KERNEL32 ref: 000000013F223DB0
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F223E1A

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: AttributesFile$_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1203560049-0
Opcode ID: 6ed0c8a070441816d5330cd3769e28eb6ceea82749a6528c2ac8f8b7ff7a8567
Instruction ID: fb2bfcf5280ed223ae099dc9468c339902d40108404d9667b014927f5c4fd9be
Opcode Fuzzy Hash: 6ed0c8a070441816d5330cd3769e28eb6ceea82749a6528c2ac8f8b7ff7a8567
Instruction Fuzzy Hash: 1621C532A14A84C1EA208F65E4453DB6361FB88B94F505238EF9E466E5DF7CCA46CA00

Function 000000013F2231BC Relevance: 4.6, APIs: 3, Instructions: 59fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?,?,?,?,?,?,?,?,00000000,000000013F230822), ref: 000000013F2231E7
DeleteFileW.KERNEL32 ref: 000000013F223237
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F2232A1

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: DeleteFile$_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3118131910-0
Opcode ID: 1fd191feb40cc67e00974fea17ca92e04a2935e1faff0a05b7b511311eb8a7b5
Instruction ID: 208a7be2eeb17252a81ed5c2c3dfd2cdc95f3c56a89b1fc8e1ca14e0305c5634
Opcode Fuzzy Hash: 1fd191feb40cc67e00974fea17ca92e04a2935e1faff0a05b7b511311eb8a7b5
Instruction Fuzzy Hash: 3F218032A14B80C1EA508B25F44579F73A0F788B94F501238EB9E46AE9DF7CCA42CA40

Function 000000013F2232BC Relevance: 4.6, APIs: 3, Instructions: 57COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,?,?,000000013F22E5B1,?,?,?,00000000,?), ref: 000000013F2232E7
GetFileAttributesW.KERNELBASE ref: 000000013F223334
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F223399

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: AttributesFile$_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1203560049-0
Opcode ID: 9a50065414fe101911552ba5ebcc3347b9eb07001169c906163cef81c3539e2a
Instruction ID: d29d5a43b8a763e1edcecc0ea1e6f9e2fa2d8af52b1a699c9611dae875168517
Opcode Fuzzy Hash: 9a50065414fe101911552ba5ebcc3347b9eb07001169c906163cef81c3539e2a
Instruction Fuzzy Hash: 8E217432A14680D1EA508B29E44539BB361F7C87A4F500225EB9D47BD5DF7CC646C640

Function 000000013F22EC60 Relevance: 4.5, APIs: 3, Instructions: 29COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,?,000000013F22EC59), ref: 000000013F22EC95
SetEvent.KERNEL32 ref: 000000013F22ECAB
LeaveCriticalSection.KERNEL32 ref: 000000013F22ECB4

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: CriticalSection$EnterEventLeave
String ID:
API String ID: 3094578987-0
Opcode ID: 9324722105c39c835c68e0c02af7360a70054ac96f81506ab973031d5eb9cc76
Instruction ID: 32fe30c05000296ad0a7d6be352f5093ee3d885ae9f24dd0e7fbabfacc0c3529
Opcode Fuzzy Hash: 9324722105c39c835c68e0c02af7360a70054ac96f81506ab973031d5eb9cc76
Instruction Fuzzy Hash: ADF03135A04B44D2EE609F25E6543EE6321F789B99F444138DE9E077A9CE3CC647DB40

Function 000000013F24BF64 Relevance: 4.5, APIs: 3, Instructions: 19COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,000000013F24BF48), ref: 000000013F24BF8C
TerminateProcess.KERNEL32(?,?,?,000000013F24BF48), ref: 000000013F24BF97
ExitProcess.KERNEL32 ref: 000000013F24BFA6

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 44b3a526fe0d15710854bc957cc7a82f9edee4cc7420f0560de4bec5ea2a17a0
Instruction ID: a942c56c5dfdf9e911525493fe3412fb724adf88818b1239f5c65cba93b36729
Opcode Fuzzy Hash: 44b3a526fe0d15710854bc957cc7a82f9edee4cc7420f0560de4bec5ea2a17a0
Instruction Fuzzy Hash: 29E0BF34B00708C6EB546B3199993EB6362A788741F15543CAC0B173D6CEBDC54B8741

Function 000000013F25038C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 126COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32 ref: 000000013F2503C2

Strings

, xrefs: 000000013F250407

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-3916222277
Opcode ID: a8c800685481078d801c3a9547140eba41de8252033d851bc208b7bc76324660
Instruction ID: 440e798c04afaa51c2d8e488882c41e5ce736b5c39fe39669d26de2d6d69c984
Opcode Fuzzy Hash: a8c800685481078d801c3a9547140eba41de8252033d851bc208b7bc76324660
Instruction Fuzzy Hash: F2517172A186C5DBE721CF28E4483DEBBA0F348748F54412AD78E47A95CB78C656CB10

Function 000000013F24F79C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

LCMapStringW.KERNEL32 ref: 000000013F24F86A

Strings

LCMapStringEx, xrefs: 000000013F24F7BD, 000000013F24F7CE

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: String
String ID: LCMapStringEx
API String ID: 2568140703-3893581201
Opcode ID: 17426379dc5621f9e1018306a2e07a6620b14fb09a176a6cc70ab50f48641bf8
Instruction ID: 8ad2088a264f3c0f47c17aeea5e3129d51e7a04fa1712a770a576edc78e4c63b
Opcode Fuzzy Hash: 17426379dc5621f9e1018306a2e07a6620b14fb09a176a6cc70ab50f48641bf8
Instruction Fuzzy Hash: 9C213E36A08B84C2DB60CB56F84039AB7A5F7C9B90F54412ADE8D53B29DF78C546CB04

Function 000000013F24F724 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 32COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNELBASE(?,?,00000003,000000013F24D771), ref: 000000013F24F781

Strings

InitializeCriticalSectionEx, xrefs: 000000013F24F73B, 000000013F24F74E

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID: InitializeCriticalSectionEx
API String ID: 2593887523-3084827643
Opcode ID: c2713cc8f82347ddf34c1ff1e3a46d417220554c4cdd39c6d4a1de9404e2d7ea
Instruction ID: 47e033198d61dab625897db971062c2a5c5b0288b3783f8cc78267dfd6aad236
Opcode Fuzzy Hash: c2713cc8f82347ddf34c1ff1e3a46d417220554c4cdd39c6d4a1de9404e2d7ea
Instruction Fuzzy Hash: 84F04439B14B94C2EB059F46B5443EAB761A789BD0F984039DE4E17B55CE78C686C700

Function 000000013F24F5B4 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32(?,?,?,000000013F24D590), ref: 000000013F24F5F8

Strings

FlsAlloc, xrefs: 000000013F24F5C1, 000000013F24F5D4

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: Alloc
String ID: FlsAlloc
API String ID: 2773662609-671089009
Opcode ID: 69bde66f6f93e2be0612d4f6e2d410048c1b703c33c775dbe88a9e5d38be4015
Instruction ID: 2b5774f056700e4638470dc3790fc5ed89e451c644c6de7e94e78e63357a917d
Opcode Fuzzy Hash: 69bde66f6f93e2be0612d4f6e2d410048c1b703c33c775dbe88a9e5d38be4015
Instruction Fuzzy Hash: A8E06531A06644D2EE059BA1F5583FA6360EB88780F9400799D1F17351DE78C686C311

Function 000000013F21F578 Relevance: 3.2, APIs: 2, Instructions: 193COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F21F895
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F21F89B

Part of subcall function 000000013F223EC8: FindClose.KERNELBASE(?,?,00000000,000000013F230811), ref: 000000013F223EFD

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$CloseFind
String ID:
API String ID: 3587649625-0
Opcode ID: c5c7d7dd44041b355631c3011942db2cd47add71734483ce4ae8d396c296808b
Instruction ID: e2f43f58b17efdfee9b28cbd0730de4f26ad1a9bfdbb7a6fb799637654a918b8
Opcode Fuzzy Hash: c5c7d7dd44041b355631c3011942db2cd47add71734483ce4ae8d396c296808b
Instruction Fuzzy Hash: 80918E77A14B80D4EB10DF64D4843DE6761F784798F90422AEA6C07AEADF78C687C744

Function 000000013F250818 Relevance: 3.2, APIs: 2, Instructions: 186COMMON

Download Yara Rule

APIs

Part of subcall function 000000013F25027C: GetOEMCP.KERNEL32(?,?,?,?,?,?,FFFFFFFD,000000013F250599,?,?,?,?,?,?,?,000000013F250749), ref: 000000013F2502A6

IsValidCodePage.KERNEL32(?,?,?,00000000,?,00000000,00000001,000000013F25064C,?,?,?,?,?,?,?,000000013F250749), ref: 000000013F250892
GetCPInfo.KERNEL32(?,?,?,00000000,?,00000000,00000001,000000013F25064C,?,?,?,?,?,?,?,000000013F250749), ref: 000000013F2508A7

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: be6a5759142bd0290644e03c106ed6a52b2c001b1214ea6308d5d9eba8f96ecf
Instruction ID: 9ae8ded709ff57dab7e860d07bc56e5aab9cce0b924f245905ef39dde81b06e8
Opcode Fuzzy Hash: be6a5759142bd0290644e03c106ed6a52b2c001b1214ea6308d5d9eba8f96ecf
Instruction Fuzzy Hash: BC81B073E04692C5F765CB6598483EAFBA1F344B80F48413ADA4F4B6A9DA79CB43C340

Function 000000013F213904 Relevance: 3.1, APIs: 2, Instructions: 124COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F213AB3
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F213AB9

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: ac102126b0f220e1916f8f5b565c1fb15815e34047790f49f88a60c97a0c8aaa
Instruction ID: 2d92632bec024fb47445088779e8a84e50c0ebbc5c27ba564557ce198f2943c6
Opcode Fuzzy Hash: ac102126b0f220e1916f8f5b565c1fb15815e34047790f49f88a60c97a0c8aaa
Instruction Fuzzy Hash: 7541CC72F10690C4FB00DBB1D440BDE2762AB45BE8F145239EE5D2BADADA74CA83C304

Function 000000013F222778 Relevance: 3.1, APIs: 2, Instructions: 100COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000002,?,00000F99,?,000000013F22274D), ref: 000000013F2228A9
GetLastError.KERNEL32(?,000000013F22274D), ref: 000000013F2228B8

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 043a82e8aff847b2e282b78885e55c7214a93c585b530bdf19c19deffc600893
Instruction ID: 4c67aca88522b05fa2afcfeff21e19b26b8152d657afc3a637480e567185b685
Opcode Fuzzy Hash: 043a82e8aff847b2e282b78885e55c7214a93c585b530bdf19c19deffc600893
Instruction Fuzzy Hash: EC31B336B11A58D2FAA04F2ADD407EA6350A704BD4F140239DE5D577E0DA7ACB838751

Function 000000013F2122BC Relevance: 3.1, APIs: 2, Instructions: 83COMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 000000013F2122F1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F2123F0

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: Item_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1746051919-0
Opcode ID: 50d3dabbc2cad761c4bf160d2ea854522c0340c6e18f5e49c1c90068bd6a6ba9
Instruction ID: 050d3c236090609de96443879a3c9a8a08cec9edc83b8ed37cd2a54827ed7e47
Opcode Fuzzy Hash: 50d3dabbc2cad761c4bf160d2ea854522c0340c6e18f5e49c1c90068bd6a6ba9
Instruction Fuzzy Hash: 8731C132A11B84C2EA109B25F4453DFB360E784B90F445229EB9D07BEADF7CD682C708

Function 000000013F222AD0 Relevance: 3.1, APIs: 2, Instructions: 76timeCOMMON

Download Yara Rule

APIs

FlushFileBuffers.KERNEL32 ref: 000000013F222AFE
SetFileTime.KERNELBASE ref: 000000013F222B9B

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: File$BuffersFlushTime
String ID:
API String ID: 1392018926-0
Opcode ID: 1f7bfd0f82637a6abdcd08aef8b442a865f6f50d97ba3a1fa7ef62b0e093425a
Instruction ID: 4ab170b7e8f243bc6b889267a667f93fe44f3fda4d1b75dfb3cebf1012135ea6
Opcode Fuzzy Hash: 1f7bfd0f82637a6abdcd08aef8b442a865f6f50d97ba3a1fa7ef62b0e093425a
Instruction Fuzzy Hash: 0B21CC3AF05B58F1FAA28E21E5257EF6790AB05794F1541399E48076E5EA3AC78BC300

Function 000000013F22AAE0 Relevance: 3.1, APIs: 2, Instructions: 52COMMON

Download Yara Rule

APIs

LoadStringW.USER32 ref: 000000013F22AB67
LoadStringW.USER32 ref: 000000013F22AB80

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: LoadString
String ID:
API String ID: 2948472770-0
Opcode ID: efc1550bd5bba1d5ac9face2304fa075ed5e4cb94ffc19493764f318ca00d951
Instruction ID: 9b3cc21b3fd42b0a3dc6988312f65c5bb4112cbab66b8c3894bbb8844cb06392
Opcode Fuzzy Hash: efc1550bd5bba1d5ac9face2304fa075ed5e4cb94ffc19493764f318ca00d951
Instruction Fuzzy Hash: BB116A75B01A40CAEB40CF1AA84078AB7A1B798FC0F64443DCE49D7B22DF78C64A8744

Function 000000013F222BB0 Relevance: 3.0, APIs: 2, Instructions: 47COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE ref: 000000013F222C11
GetLastError.KERNEL32 ref: 000000013F222C1E

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 5eda2cbf1ce6837a88d649c872729f31e823bc49095d59e5e9b193bf7b9166cd
Instruction ID: 19536b16fd2eea593a5d7457cd7ca4f7f739e08bc52a58a5490aa6c82073ba46
Opcode Fuzzy Hash: 5eda2cbf1ce6837a88d649c872729f31e823bc49095d59e5e9b193bf7b9166cd
Instruction Fuzzy Hash: C911D036A05688D1FBA08B29E9813DE6360F344BB4F940329EA7D562E5CB39C797C300

Function 000000013F21255C Relevance: 3.0, APIs: 2, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 000000013F22A4AC: swprintf.LEGACY_STDIO_DEFINITIONS ref: 000000013F22A504
Part of subcall function 000000013F22A4AC: SetDlgItemTextW.USER32 ref: 000000013F22A573
Part of subcall function 000000013F22A4AC: GetWindowRect.USER32 ref: 000000013F22A5AD
Part of subcall function 000000013F22A4AC: GetClientRect.USER32 ref: 000000013F22A5BB

GetDlgItem.USER32 ref: 000000013F2125AC
SetWindowTextW.USER32 ref: 000000013F2125C8

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: ItemRectTextWindow$Clientswprintf
String ID:
API String ID: 3322643685-0
Opcode ID: 64054e75db15c4c181a3b608a21e6fd390ef54e23b9c378e0d592242a50efdfc
Instruction ID: 00a9c2202e7b5ca80760fce66cb615a5bda9c518bea4fa167819c65b0821b3aa
Opcode Fuzzy Hash: 64054e75db15c4c181a3b608a21e6fd390ef54e23b9c378e0d592242a50efdfc
Instruction Fuzzy Hash: AA012534E0564CD2FF595B51A4983EB57519745744F08403DD849066DADF6DC68AC304

Function 000000013F22EBC8 Relevance: 3.0, APIs: 2, Instructions: 32COMMON

Download Yara Rule

APIs

Part of subcall function 000000013F22EA5C: WaitForSingleObject.KERNEL32(?,?,?,?,?,?,?,?,000000013F22E95F,?,?,?,000000013F22463A,?,?,?), ref: 000000013F22EA63
Part of subcall function 000000013F22EA5C: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,000000013F22E95F,?,?,?,000000013F22463A,?,?,?), ref: 000000013F22EA6E

RtlEnterCriticalSection.NTDLL ref: 000000013F22EC00
LeaveCriticalSection.KERNEL32 ref: 000000013F22EC2F

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeaveObjectSingleWait
String ID:
API String ID: 1001467830-0
Opcode ID: 58b232bf3861a2f87ff6634cf1f2135de5966187df66bae6417050fc38045da8
Instruction ID: 855407dada6b0dc4598719bd6fd8eb758e7e86e3fe17e8243e38d8045c6a7131
Opcode Fuzzy Hash: 58b232bf3861a2f87ff6634cf1f2135de5966187df66bae6417050fc38045da8
Instruction Fuzzy Hash: FD014B36A14A84E2EA588F25E6453DEA361F798B80F089124EF5A03315DF39E6B6D740

Function 000000013F22EB58 Relevance: 3.0, APIs: 2, Instructions: 23COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,?,000000013F22EBAD,?,?,?,?,000000013F225752,?,?,?,000000013F2256DE), ref: 000000013F22EB5C
GetProcessAffinityMask.KERNEL32 ref: 000000013F22EB6F

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: Process$AffinityCurrentMask
String ID:
API String ID: 1231390398-0
Opcode ID: 444071b75e142e51b736d9fa504759652bc9944b894df1f8101a797a07211085
Instruction ID: 0d170711326ba4150cb0d131d49c96119e6938fe814ab4da026c314282c9ac91
Opcode Fuzzy Hash: 444071b75e142e51b736d9fa504759652bc9944b894df1f8101a797a07211085
Instruction Fuzzy Hash: B3E09B75F10949D6DF598F65C4557DFB392BBC8B40F848039E60B83614DE2CD64A8B00

Function 000000013F2421D0 Relevance: 3.0, APIs: 2, Instructions: 21COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 000000013F242200

Part of subcall function 000000013F242F7C: std::bad_alloc::bad_alloc.LIBCMT ref: 000000013F242F85

Concurrency::cancel_current_task.LIBCPMT ref: 000000013F242206

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: Concurrency::cancel_current_task$std::bad_alloc::bad_alloc
String ID:
API String ID: 1173176844-0
Opcode ID: ac554a43d54612151bc7e480101717375080be3004ee5b366f50feb51e7139dd
Instruction ID: 6f492fdeaebb15668025431df23bfcc493ee6e6b81638a8bab8aa9a9f1074e89
Opcode Fuzzy Hash: ac554a43d54612151bc7e480101717375080be3004ee5b366f50feb51e7139dd
Instruction Fuzzy Hash: 58E01270E11105C1FD58627718263F700704F59770E5D173C9E3A656C7AA94C7939910

Function 000000013F2452EC Relevance: 3.0, APIs: 2, Instructions: 18memoryCOMMON

Download Yara Rule

APIs

__vcrt_FlsAlloc.LIBVCRUNTIME ref: 000000013F2452F7
__vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 000000013F245327

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: Alloc__vcrt___vcrt_uninitialize_ptd
String ID:
API String ID: 3765095794-0
Opcode ID: b626eb9a3b6ada7a78012530218f632c6a75038fb9b1341251fc2fb1ecdc57fa
Instruction ID: 8522dfd37f8737911296b3bfa4ad95c2cbdb093257f493da186367d1b1bbdb44
Opcode Fuzzy Hash: b626eb9a3b6ada7a78012530218f632c6a75038fb9b1341251fc2fb1ecdc57fa
Instruction Fuzzy Hash: F2E04F74E11A40D9EA146B345D463EB27706B41320FE0163CA4659A2E3DFE8C34B9740

Function 000000013F24D90C Relevance: 2.5, APIs: 2, Instructions: 19memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 000000013F24D922
GetLastError.KERNEL32 ref: 000000013F24D934

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 7829e02dcbd74b51c5e196648e5aad52518f68633834b7095f7e5950a32ae739
Instruction ID: 1bdfa245805a8ff1f8e7b62723b55e14037293288f1ab840901e00f58680a241
Opcode Fuzzy Hash: 7829e02dcbd74b51c5e196648e5aad52518f68633834b7095f7e5950a32ae739
Instruction Fuzzy Hash: C0E0E670E05505C6FF186BB258453E653A15B94751F45403C8D09D6252DE78C6878600

Function 000000013F2133E4 Relevance: 1.8, APIs: 1, Instructions: 328COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F21388C

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: 6d6f7f30e493412f4969793b48641c7b17b9ccdd5f52d8601071286c20d73a96
Instruction ID: 75061eef8380ac92cc0110e95d0f3e6e0e8d31a97ec6224f93e8f37e149f5a1c
Opcode Fuzzy Hash: 6d6f7f30e493412f4969793b48641c7b17b9ccdd5f52d8601071286c20d73a96
Instruction Fuzzy Hash: 04D1CD7AB006C4D6FF288B259644BEEBBA2F705BC4F050039CF59477A5CB34DA668709

Function 000000013F225294 Relevance: 1.7, APIs: 1, Instructions: 198COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F22551B

Part of subcall function 000000013F2313F4: CompareStringW.KERNEL32 ref: 000000013F23145A

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: CompareString_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1017591355-0
Opcode ID: f77260627b75add95ca9d2c0935e9610f9349842e6d8a2c52f671b725446453a
Instruction ID: 45066933533ffc910982d231853f866aa84efb0a4784215ca560814f2b2217eb
Opcode Fuzzy Hash: f77260627b75add95ca9d2c0935e9610f9349842e6d8a2c52f671b725446453a
Instruction Fuzzy Hash: 77614839E14645EAFAF49E2584173FF9291AB41BD0F14D13DAE4907AC5EABCCB43C200

Function 000000013F231870 Relevance: 1.7, APIs: 1, Instructions: 172COMMON

Download Yara Rule

APIs

Part of subcall function 000000013F22E948: ReleaseSemaphore.KERNEL32 ref: 000000013F22E974
Part of subcall function 000000013F22E948: CloseHandle.KERNELBASE ref: 000000013F22E993
Part of subcall function 000000013F22E948: DeleteCriticalSection.KERNEL32 ref: 000000013F22E9AA
Part of subcall function 000000013F22E948: CloseHandle.KERNEL32 ref: 000000013F22E9B7

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F231ACB

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: CloseHandle$CriticalDeleteReleaseSectionSemaphore_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 904680172-0
Opcode ID: 64e4c0b27db856b2e1557b0c40e73339b2e4437797481325bfee9d1e55471a1b
Instruction ID: 944fc3fc1da748dfe99316011d3671983a5e22009dbd88c2cfbf6186da103a44
Opcode Fuzzy Hash: 64e4c0b27db856b2e1557b0c40e73339b2e4437797481325bfee9d1e55471a1b
Instruction Fuzzy Hash: F16161B2B12A84E2EE08DB65D5543EE7365FB40F94F54413BD7691BAC6CF64C662C300

Function 000000013F21EC9C Relevance: 1.6, APIs: 1, Instructions: 145COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F21EEB8

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: ee4693f2c48cedbc51ad7bc029ee064e32ea8ec3cb116d2b04c7847efbfa9451
Instruction ID: 1b1a8090e17fdb376bc805dfa584e86f2f5ec1be45090a5b6f4f598e0b39d8c6
Opcode Fuzzy Hash: ee4693f2c48cedbc51ad7bc029ee064e32ea8ec3cb116d2b04c7847efbfa9451
Instruction Fuzzy Hash: 9651CE7AA00A84D0FA149F26E8443DB67A1F786BD4F48013AEE5907796CF7DD686C344

Function 000000013F21E7A8 Relevance: 1.6, APIs: 1, Instructions: 118COMMON

Download Yara Rule

APIs

Part of subcall function 000000013F223EC8: FindClose.KERNELBASE(?,?,00000000,000000013F230811), ref: 000000013F223EFD

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F21E993

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: CloseFind_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1011579015-0
Opcode ID: e8163c2a7431a384f10e23062ae674c5baa781d2f4b04224e71daf838b7b6f9c
Instruction ID: 4bbf379b53760d4da1a5e2fb8a25d57f919640119ab65553d9c01738a51ba8fa
Opcode Fuzzy Hash: e8163c2a7431a384f10e23062ae674c5baa781d2f4b04224e71daf838b7b6f9c
Instruction Fuzzy Hash: D4517076A14B84C1FB60DF29D8853DE73A1FB84B84F44023AEA89477A6DF28D643C754

Function 000000013F221794 Relevance: 1.6, APIs: 1, Instructions: 115COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F22187D

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: 1d654c8d03723e7a52e8c6ec94e86296d18edc9530b95e6b5aacb605859593f9
Instruction ID: 5810b125877af4d0d2fc2538966d1da362eccb4908cd19b157c6c2b05cec4026
Opcode Fuzzy Hash: 1d654c8d03723e7a52e8c6ec94e86296d18edc9530b95e6b5aacb605859593f9
Instruction Fuzzy Hash: B841F976B14A9092FA549A17E6403DBA251F784FC0F44853AEF4C4BF9ADF78C6538340

Function 000000013F222F58 Relevance: 1.6, APIs: 1, Instructions: 100COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F2230C8

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: 8c83712e9be8db2c05fa3a1a7a11be335b197f8fa561b90d00d93b4e1419764b
Instruction ID: c0eb7b0531beb7c95707f26d01cf1eb02858ae2874361398377b7d38ae271e6f
Opcode Fuzzy Hash: 8c83712e9be8db2c05fa3a1a7a11be335b197f8fa561b90d00d93b4e1419764b
Instruction Fuzzy Hash: BB41EF7AA00B44D1FE949F29E5453AB23A1E784BD8F541238EB49077E9DF39CB82C650

Function 000000013F24BDF8 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 000000013F24BE20

Part of subcall function 000000013F24BFB0: GetModuleHandleExW.KERNEL32 ref: 000000013F24BFD0
Part of subcall function 000000013F24BFB0: GetProcAddress.KERNEL32 ref: 000000013F24BFE6
Part of subcall function 000000013F24BFB0: FreeLibrary.KERNEL32 ref: 000000013F24C00B

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: HandleModule$AddressFreeLibraryProc
String ID:
API String ID: 3947729631-0
Opcode ID: 5b4d6432c9ab27f48bf344f41163fa66ca8822e5b5ed34cf2c0174bd429b5c6d
Instruction ID: 1699e4cbef9b454f9ea25f28fe811812aa04975e162d70ac17dab084f4200af2
Opcode Fuzzy Hash: 5b4d6432c9ab27f48bf344f41163fa66ca8822e5b5ed34cf2c0174bd429b5c6d
Instruction Fuzzy Hash: 3F41BC32B10640C2FB24DB6599503EB22B1B794B40F95443EEE0A677E2DBB9CA47C740

Function 000000013F21129C Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 000000013F211396

Part of subcall function 000000013F211F80: std::bad_alloc::bad_alloc.LIBCMT ref: 000000013F211F89

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: Concurrency::cancel_current_taskstd::bad_alloc::bad_alloc
String ID:
API String ID: 680105476-0
Opcode ID: c531f2d93e59bc2c3255c3b03e21e7a52a1bb814650bbdd6308fec67296c0182
Instruction ID: 38525e178c9d955669eb276341d59dfebbec8deb49abcecf13f61074b284d782
Opcode Fuzzy Hash: c531f2d93e59bc2c3255c3b03e21e7a52a1bb814650bbdd6308fec67296c0182
Instruction Fuzzy Hash: 32218336A04750C5EA149F92A4003EB6268F705BF0F680B39DF7947BDADB7CC6528348

Function 000000013F213AD8 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F213B6C

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: 8fc652ac7c959a295c7730ce90c0f7499c45745d6b82b8dbd8efa7802d42d794
Instruction ID: 02c436f95ae2d329f57d55eabc8384941381125d4af42b197ac59d0767d1e1ad
Opcode Fuzzy Hash: 8fc652ac7c959a295c7730ce90c0f7499c45745d6b82b8dbd8efa7802d42d794
Instruction Fuzzy Hash: 0501C476E14BC4C1FA219728E44539A7362F789790F805239EBDC07BE5EF6CC6428708

Function 000000013F241558 Relevance: 1.5, APIs: 1, Instructions: 38COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 000000013F241604: GetModuleHandleW.KERNEL32(?,?,?,000000013F241573,?,?,?,000000013F24192A), ref: 000000013F24162B

DloadProtectSection.DELAYIMP ref: 000000013F2415C9

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: DloadHandleModuleProtectSection
String ID:
API String ID: 2883838935-0
Opcode ID: 902d746097657f35995c40355b3f554eba39218e3fb79a70aefbb70b68ceb6fd
Instruction ID: fc3e356c3179f41402663d198e474c919bee90a0e6f1afabec51246cd410d67f
Opcode Fuzzy Hash: 902d746097657f35995c40355b3f554eba39218e3fb79a70aefbb70b68ceb6fd
Instruction Fuzzy Hash: 6711CC70E10644C1FB669B16EA853E233B0A718348F25043DDD1E662B3EBB8CB9BC705

Function 000000013F223EC8 Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 000000013F2240BC: FindFirstFileW.KERNELBASE ref: 000000013F22410B
Part of subcall function 000000013F2240BC: FindFirstFileW.KERNEL32 ref: 000000013F22415E
Part of subcall function 000000013F2240BC: GetLastError.KERNEL32 ref: 000000013F2241AF

FindClose.KERNELBASE(?,?,00000000,000000013F230811), ref: 000000013F223EFD

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: Find$FileFirst$CloseErrorLast
String ID:
API String ID: 1464966427-0
Opcode ID: 18fe74ab7ca813274cb64c08179860cc48efc587ad39327f0b25563dc18ddab5
Instruction ID: 306ff6d410fdbe3437da154a6ac91ac0b6aa21d7a616781217fbccf71389d193
Opcode Fuzzy Hash: 18fe74ab7ca813274cb64c08179860cc48efc587ad39327f0b25563dc18ddab5
Instruction Fuzzy Hash: 1CF0C276904280D5EA90AF75A1447DA3760E71ABB4F14133CEA39073C7CA68CA86C784

Function 000000013F24D94C Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL ref: 000000013F24D98A

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 5fa632deebd8181b9f3ea37834cf4eccbda839d7d0d6f948310c23224b4a93e7
Instruction ID: 1c778f1afa6bc7190e034c51b128e9566ae524432eb577587de8fa05ff5341d6
Opcode Fuzzy Hash: 5fa632deebd8181b9f3ea37834cf4eccbda839d7d0d6f948310c23224b4a93e7
Instruction Fuzzy Hash: 68F0A070F01345C5FF2467B258103F712B09B847A0F8A1A3C1D2AE63C2DEACC6838210

Function 000000013F22273C Relevance: 1.5, APIs: 1, Instructions: 18fileCOMMON

Download Yara Rule

APIs

SetEndOfFile.KERNELBASE ref: 000000013F222755

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: File
String ID:
API String ID: 749574446-0
Opcode ID: 7793d0dfaf1bed477703e517dfb550f1e48d00439aedf8bd4eeb9f79e866bcb3
Instruction ID: 30d1d0165f0d71cdbd98c8a30b3df0bd939531ba6e12afdde057e76ec7e15635
Opcode Fuzzy Hash: 7793d0dfaf1bed477703e517dfb550f1e48d00439aedf8bd4eeb9f79e866bcb3
Instruction Fuzzy Hash: 7EE0C226B20518C2FF60AB3AC8467EA6320EB8DF84F4810348E0D073A1CE25C5868A00

Function 000000013F24D580 Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

__vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 000000013F24D5AB

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: __vcrt_uninitialize_ptd
String ID:
API String ID: 1180542099-0
Opcode ID: ce8e2ffe289f7fce94720d68f3ba514a3dbdfcf06443afd0443132baf869d67a
Instruction ID: 278f15cd3145fdc2104fdd131bbef67d9ec40d9b754c5f72ccea363574381f73
Opcode Fuzzy Hash: ce8e2ffe289f7fce94720d68f3ba514a3dbdfcf06443afd0443132baf869d67a
Instruction Fuzzy Hash: 4FE012B0E01100C1FD65AB3058423EB12702B15318FD2097DE936623D3EDE4C7435610

Function 000000013F222490 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE ref: 000000013F2224A2

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: df9a28314c6b6fddfb177ebf539387614dcb0363737e1ba4f38fe55c4f903e1a
Instruction ID: 89c020e3136ba482750dbd8ccfa545a5aa12b38f1fc1b18640ffcf60b4d9fc5f
Opcode Fuzzy Hash: df9a28314c6b6fddfb177ebf539387614dcb0363737e1ba4f38fe55c4f903e1a
Instruction Fuzzy Hash: 6AD0123AD01444D3ED50973598523AE2350AB92735FB40714DA3EC16E1C65EC69BE311

Function 000000013F227FC4 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

SetCurrentDirectoryW.KERNELBASE ref: 000000013F227FD2

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: 176ab68ebee512dad0278907058cd855c5c44f8615b79807412a7d406b36e525
Instruction ID: 933fe5117072882a8a1c3bca557b84d465725bdb4323eab2bc96e9386f30ff42
Opcode Fuzzy Hash: 176ab68ebee512dad0278907058cd855c5c44f8615b79807412a7d406b36e525
Instruction Fuzzy Hash: 99C04C35F15905C1DA085B26C8CA38A13A5F754B05F654029D50D81160DE29C6EF9745

Function 000000013F2220D0 Relevance: 1.3, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE ref: 000000013F2220F6

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: ccbd9008d2c4ce7168f8d058ff2f34620ae6bf54bfe45a0cbca9d6a6f1a7c065
Instruction ID: d1f89b3a4d06719b001934cd5f654094683ffb0802cf2589d688e08e142cfb3d
Opcode Fuzzy Hash: ccbd9008d2c4ce7168f8d058ff2f34620ae6bf54bfe45a0cbca9d6a6f1a7c065
Instruction Fuzzy Hash: 06F0CD36A00688E5FBA48B30E0417EA6760E314BB8F484328EB39811D6DB60CA9BC700

Non-executed Functions

Function 000000013F21C2F0 Relevance: 49.8, APIs: 24, Strings: 4, Instructions: 754fileCOMMON

Download Yara Rule

APIs

Part of subcall function 000000013F21DE04: GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,000000013F21CF4B), ref: 000000013F21DE27
Part of subcall function 000000013F21DE04: GetLastError.KERNEL32 ref: 000000013F21DE88
Part of subcall function 000000013F21DE04: CloseHandle.KERNEL32 ref: 000000013F21DE9B

wcscpy.LIBCMT ref: 000000013F21CBC8
wcscpy.LIBCMT ref: 000000013F21CBFE
CreateFileW.KERNEL32 ref: 000000013F21CC38
DeviceIoControl.KERNEL32 ref: 000000013F21CD01
CloseHandle.KERNEL32 ref: 000000013F21CD12
GetLastError.KERNEL32 ref: 000000013F21CD2E
RemoveDirectoryW.KERNEL32 ref: 000000013F21CD7D
DeleteFileW.KERNEL32 ref: 000000013F21CD88
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F21CE89
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F21CE8F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F21CE9B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F21CEA1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F21CEAD
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F21CEB3
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F21CEB9
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F21CEBF
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F21CEC5
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F21CECB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F21CED1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F21CED7

Strings

\??\, xrefs: 000000013F21C392, 000000013F21C3B8
SeRestorePrivilege, xrefs: 000000013F21C343
SeCreateSymbolicLinkPrivilege, xrefs: 000000013F21C34F
UNC\, xrefs: 000000013F21C53F, 000000013F21C55D

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$CloseErrorFileHandleLastwcscpy$ControlCreateCurrentDeleteDeviceDirectoryProcessRemove
String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
API String ID: 2659423929-3508440684
Opcode ID: 2b29d3339ab04c1a7270bf370d50b6fd8c35a30e2b651de71bed7b22e0c2bcde
Instruction ID: 92a3e445015e436188a10398f1c98d4c6f3ff92591afc52cdb533cf294e71677
Opcode Fuzzy Hash: 2b29d3339ab04c1a7270bf370d50b6fd8c35a30e2b651de71bed7b22e0c2bcde
Instruction Fuzzy Hash: 2062BF7AF10A84C5FB00DBB4D4453EE2371E7857A8F504229EA6D67AEADF74C686C304

Function 000000013F22F180 Relevance: 43.2, APIs: 22, Strings: 2, Instructions: 1205COMMON

Download Yara Rule

APIs

_Init_thread_footer.LIBCMT ref: 000000013F230528

Part of subcall function 000000013F22AAE0: LoadStringW.USER32 ref: 000000013F22AB67
Part of subcall function 000000013F22AAE0: LoadStringW.USER32 ref: 000000013F22AB80

Part of subcall function 000000013F23B0DC: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,000000013F230429), ref: 000000013F23B110
Part of subcall function 000000013F23B0DC: SetLastError.KERNEL32 ref: 000000013F23B153

Part of subcall function 000000013F21129C: Concurrency::cancel_current_task.LIBCPMT ref: 000000013F211396

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F230490
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F230496
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F23049C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F2304A2
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F2304A8
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F2304AE
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F2304B4
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F2304BA
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F2304C0
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F2304C6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F2304CC
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F2304D2
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F2304D8
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F2304DE
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F2304E4
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F2304EA
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F2304F0
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F2304F6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F230532
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F230538

Strings

%s: %s, xrefs: 000000013F22FC11
%ls, xrefs: 000000013F22F3AC, 000000013F22F3FF

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$ErrorLastLoadString$Concurrency::cancel_current_taskInit_thread_footer
String ID: %ls$%s: %s
API String ID: 2539828978-2259941744
Opcode ID: ad02539a7615a4da39f249392d2b6a9ba509cbab837690a24a6727856c9cddba
Instruction ID: f65fe683960c8be1c68206b546ffa6015e8464e17831f33f5c947e71d735430d
Opcode Fuzzy Hash: ad02539a7615a4da39f249392d2b6a9ba509cbab837690a24a6727856c9cddba
Instruction Fuzzy Hash: 3AB29572A10685C2EA109B65D4553EFA321EBC9794F10423FABDD57BEAEE68C742C700

Function 000000013F252550 Relevance: 22.3, APIs: 8, Strings: 4, Instructions: 1310COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000000013F252C12
memcpy_s.LIBCMT ref: 000000013F2535BF
memcpy_s.LIBCMT ref: 000000013F253666

Part of subcall function 000000013F2538BC: _invalid_parameter_noinfo.LIBCMT ref: 000000013F2538EE

memcpy_s.LIBCMT ref: 000000013F25372F

Part of subcall function 000000013F24D008: _invalid_parameter_noinfo.LIBCMT ref: 000000013F24D02D

Strings

1#QNAN, xrefs: 000000013F2537E8
1#IND, xrefs: 000000013F2537AA
1#INF, xrefs: 000000013F253807
1#SNAN, xrefs: 000000013F2537C9

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: _invalid_parameter_noinfomemcpy_s
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 1759834784-2761157908
Opcode ID: c1568b5568d689d261f1f0b975b9c1104ab10acfc5286cd5346a40821ab4f9bc
Instruction ID: f8ea0f526ffee53f2bc4a66ef22c32295b34e131e4145ca514802dd4baa71446
Opcode Fuzzy Hash: c1568b5568d689d261f1f0b975b9c1104ab10acfc5286cd5346a40821ab4f9bc
Instruction Fuzzy Hash: DEB2D672E00291CBE725CE69D448BEEB7A5F358788F506139DA1B67BC8D735CA068B40

Function 000000013F221A48 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 375fileCOMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32 ref: 000000013F221A97
GetLongPathNameW.KERNEL32 ref: 000000013F221AE0
GetShortPathNameW.KERNEL32 ref: 000000013F221B21
GetShortPathNameW.KERNEL32 ref: 000000013F221B6A

Part of subcall function 000000013F2313C4: CompareStringW.KERNEL32 ref: 000000013F2313E3

MoveFileW.KERNEL32 ref: 000000013F221DFE
MoveFileW.KERNEL32 ref: 000000013F221E65

Part of subcall function 000000013F222134: CreateFileW.KERNEL32 ref: 000000013F22223C

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F221FE1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F221FE7
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F221FED

Strings

rtmp, xrefs: 000000013F221CF4, 000000013F221D03

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: NamePath$File_invalid_parameter_noinfo_noreturn$LongMoveShort$CompareCreateString
String ID: rtmp
API String ID: 3587137053-870060881
Opcode ID: 46720b277ee4ca4cb7735330bedb27dc610672b28b4e4f5b2232f8dc8f14668d
Instruction ID: 6c1c5a4f75eccbd289cc9d3ccb78de6174142b814c7dc0e4734a5112b32785d4
Opcode Fuzzy Hash: 46720b277ee4ca4cb7735330bedb27dc610672b28b4e4f5b2232f8dc8f14668d
Instruction Fuzzy Hash: F0F1BB36B00B80E1EB50DB65D8807EF67B1F7857D4F50112AEA4A97AE9DF38C686C740

Function 000000013F225B60 Relevance: 12.3, APIs: 8, Instructions: 256COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32 ref: 000000013F225BC2
GetFullPathNameW.KERNEL32 ref: 000000013F225C0E
GetFullPathNameW.KERNEL32 ref: 000000013F225D2B
GetFullPathNameW.KERNEL32 ref: 000000013F225D70
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F225EE0
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F225EE6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F225EEC
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F225EF2

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: FullNamePath_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1693479884-0
Opcode ID: 9da81c3bc7566f90a4d86f7365aa6446543d628d65e0ea004da70b429abed106
Instruction ID: 71fa96696fb74b189cb6415f5e6150cdb1a2e03e17de04240b45421d4b4c51cf
Opcode Fuzzy Hash: 9da81c3bc7566f90a4d86f7365aa6446543d628d65e0ea004da70b429abed106
Instruction Fuzzy Hash: 79A1B376F11B50D9FF50CB7999493EE2361A785BE4F548229DE2927BC9DE78C243C200

Function 000000013F243170 Relevance: 10.6, APIs: 7, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 000000013F24318C
RtlCaptureContext.KERNEL32 ref: 000000013F2431B9
RtlLookupFunctionEntry.KERNEL32 ref: 000000013F2431D3
RtlVirtualUnwind.KERNEL32 ref: 000000013F243214
IsDebuggerPresent.KERNEL32 ref: 000000013F243268
SetUnhandledExceptionFilter.KERNEL32 ref: 000000013F243289
UnhandledExceptionFilter.KERNEL32 ref: 000000013F243294

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: eb4060bcbbf6947450414bc0ac192b8da1feec02df413969c5a674799d26ef14
Instruction ID: 1f209a7c93a7e638eae14b7225c64c62e213c85923a4f50b105b401a5fbb0a53
Opcode Fuzzy Hash: eb4060bcbbf6947450414bc0ac192b8da1feec02df413969c5a674799d26ef14
Instruction Fuzzy Hash: 93315B72605B80DAEB609F60E8547EE7370F784744F84443ADB4E57A98DF78CA49C710

Function 000000013F2476D8 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 000000013F247751
RtlLookupFunctionEntry.KERNEL32 ref: 000000013F247769
RtlVirtualUnwind.KERNEL32 ref: 000000013F2477A4
IsDebuggerPresent.KERNEL32 ref: 000000013F2477DD
SetUnhandledExceptionFilter.KERNEL32 ref: 000000013F2477E7
UnhandledExceptionFilter.KERNEL32 ref: 000000013F2477F2

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 5940ef1d6d2c32beaf7af9e8e0892e721e3d30544378453b8f42f9f5775f8da8
Instruction ID: 04dcb070da355908cba85fe85d16045bd3c9ce9a4bb4e851b4cf4fe730a84baa
Opcode Fuzzy Hash: 5940ef1d6d2c32beaf7af9e8e0892e721e3d30544378453b8f42f9f5775f8da8
Instruction Fuzzy Hash: 20313B32604B80D6EB608F25E8447DE77A4F788B54F540129EE9E53B99DF78C656CB00

Function 000000013F211AA4 Relevance: 6.3, APIs: 4, Instructions: 285COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F211EA9
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F211EAF
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F211EB5
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F211EBB

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: 300dd9cc50a5c7816435619c3f5343720d80d9ae4efb6ade2117f3cf4a891e63
Instruction ID: 2cd353811642edaab43add601a3c24aa0858aa7e0d706c0a082ced13c92db632
Opcode Fuzzy Hash: 300dd9cc50a5c7816435619c3f5343720d80d9ae4efb6ade2117f3cf4a891e63
Instruction Fuzzy Hash: 9DB1D076B10B84C6EB10DB65D8443DF2361FB8A794F405229EA5D57BEAEF38C646C308

Function 000000013F24FA94 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 164COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000000013F24FAC4

Part of subcall function 000000013F247934: GetCurrentProcess.KERNEL32(000000013F250CCD), ref: 000000013F247961

Strings

*?, xrefs: 000000013F24FAEB
., xrefs: 000000013F24FEE4

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: CurrentProcess_invalid_parameter_noinfo
String ID: *?$.
API String ID: 2518042432-3972193922
Opcode ID: f96344909874f118cd7fc652812aee2de17a0b901a5c412331694f6fbd6e8fc4
Instruction ID: 16c3e02ead87633a9e0adbde692a62bd6896d23cef8298c4a757a34085d225a4
Opcode Fuzzy Hash: f96344909874f118cd7fc652812aee2de17a0b901a5c412331694f6fbd6e8fc4
Instruction Fuzzy Hash: 7551D072F11B94C1EB11DFA2A8107EA67B4F788BD8F444539DE5927B89EAB8C1438300

Function 000000013F252080 Relevance: 4.8, APIs: 3, Instructions: 340COMMONLIBRARYCODE

Download Yara Rule

APIs

memcpy_s.LIBCMT ref: 000000013F25210B

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: memcpy_s
String ID:
API String ID: 1502251526-0
Opcode ID: b531b63a04a12e36dec63d06dc2411054f876835da8b044adf2bb9f605172619
Instruction ID: c3b409769e33b59c0e3d26b1518bc34a9ba1a198885acc57fdb6e2e34c3cf241
Opcode Fuzzy Hash: b531b63a04a12e36dec63d06dc2411054f876835da8b044adf2bb9f605172619
Instruction Fuzzy Hash: 23D18B32B18685C7EB64CF15E1887AAB7A1F798784F148138DB4E97BC4D63DDA42CB00

Function 000000013F21B6D8 Relevance: 4.5, APIs: 3, Instructions: 36windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,?,?,?,?,000000013F21BA9D), ref: 000000013F21B6E5
FormatMessageW.KERNEL32 ref: 000000013F21B719
LocalFree.KERNEL32(?,?,?,?,?,?,?,000000013F21BA9D), ref: 000000013F21B743

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: ErrorFormatFreeLastLocalMessage
String ID:
API String ID: 1365068426-0
Opcode ID: c27e05edbcf0c556cf9f4b9f4aa6354f64d9dc72ff0f252d3a2ededa039666af
Instruction ID: 21f5e5a0d5485bd161ea4145b3ba05039c863045537cd5c7a04f31d0a2dc5b3f
Opcode Fuzzy Hash: c27e05edbcf0c556cf9f4b9f4aa6354f64d9dc72ff0f252d3a2ededa039666af
Instruction Fuzzy Hash: 7D011276A08745C2E7109F22B9543ABA3A5F789BC0F484038EA8E47B95DF38C60A8705

Function 000000013F24FCA0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 97COMMON

Download Yara Rule

Strings

., xrefs: 000000013F24FEE4

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: c6a507b225cd4218212adc004c755bbf20f968de81e7d05236a270c9e1509e97
Instruction ID: 5f98100d2fe26d4d1f85d2b9e529eb3c9487189b7d4c9d2f8a4ffc367c7eb8ca
Opcode Fuzzy Hash: c6a507b225cd4218212adc004c755bbf20f968de81e7d05236a270c9e1509e97
Instruction Fuzzy Hash: 07310C32B00694C5F7209B76E8057EB7AA1B7D4BE4F548339AE6957BC6CA7CC6038300

Function 000000013F255AF8 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE

Download Yara Rule

APIs

_clrfp.LIBCMT ref: 000000013F255D45
RaiseException.KERNEL32 ref: 000000013F255D56

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: ExceptionRaise_clrfp
String ID:
API String ID: 15204871-0
Opcode ID: 131550a8e914c8a4384a7255cc8ec53066b4dff0b7ecc1394be8dfb6b4310eca
Instruction ID: 85a2dc046778a3e8368b84004830525ff76f79b6a3339c459ebf959adbd19282
Opcode Fuzzy Hash: 131550a8e914c8a4384a7255cc8ec53066b4dff0b7ecc1394be8dfb6b4310eca
Instruction Fuzzy Hash: EAB11A73611B88CEEB15CF29C84A3997BA0F344B5CF158925DA5E877A8CB39C552C700

Function 000000013F238DF4 Relevance: 3.2, APIs: 2, Instructions: 186COMMON

Download Yara Rule

APIs

Part of subcall function 000000013F2385E0: GetDC.USER32 ref: 000000013F2385EC
Part of subcall function 000000013F2385E0: GetDeviceCaps.GDI32 ref: 000000013F2385FD
Part of subcall function 000000013F2385E0: ReleaseDC.USER32 ref: 000000013F23860A

GetObjectW.GDI32 ref: 000000013F238E48

Part of subcall function 000000013F2390B0: GetDC.USER32 ref: 000000013F2390D9
Part of subcall function 000000013F2390B0: GetObjectW.GDI32 ref: 000000013F239107
Part of subcall function 000000013F2390B0: ReleaseDC.USER32 ref: 000000013F2391BB

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: ObjectRelease$CapsDevice
String ID:
API String ID: 1061551593-0
Opcode ID: 68dbe16693602acb82a0a9c061fd0d735b77194d41f4ab9e90264308bb487059
Instruction ID: d0501deeb44940602ad1044c94f55e1d0048187f66d22285c46060802fb28f9f
Opcode Fuzzy Hash: 68dbe16693602acb82a0a9c061fd0d735b77194d41f4ab9e90264308bb487059
Instruction Fuzzy Hash: C0811576B14A04C6EB20CB6AE9447DE7771F788B88F01412ADE4E57B24DF78C64AC780

Function 000000013F23A2CC Relevance: 3.0, APIs: 2, Instructions: 46COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32 ref: 000000013F23A315
GetNumberFormatW.KERNEL32 ref: 000000013F23A371

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: FormatInfoLocaleNumber
String ID:
API String ID: 2169056816-0
Opcode ID: a0c8fcaef59427837b2a7c7753e3d717a8442860a15e47712294eddcbb527c28
Instruction ID: d8d8c881866a96fb3054e8d4bafe979521d73a77cd519810480ea2e4718e8310
Opcode Fuzzy Hash: a0c8fcaef59427837b2a7c7753e3d717a8442860a15e47712294eddcbb527c28
Instruction Fuzzy Hash: 15115B32A14B84D6E7618F61F8107DB7364FB88B94F854139EA4907B68EF7CC64AC748

Function 000000013F22126C Relevance: 1.7, APIs: 1, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 000000013F2224C0: CreateFileW.KERNELBASE ref: 000000013F22259B
Part of subcall function 000000013F2224C0: GetLastError.KERNEL32 ref: 000000013F2225AE
Part of subcall function 000000013F2224C0: CreateFileW.KERNEL32 ref: 000000013F22260E
Part of subcall function 000000013F2224C0: GetLastError.KERNEL32 ref: 000000013F222617

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F2215D0

Part of subcall function 000000013F223980: MoveFileW.KERNEL32 ref: 000000013F2239BD
Part of subcall function 000000013F223980: MoveFileW.KERNEL32 ref: 000000013F223A34

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: File$CreateErrorLastMove$_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 34527147-0
Opcode ID: f8f20fe289e50002a0a54c88778f70f50b297ae81d229b3573a39973a23deb87
Instruction ID: 610a1a88da0acd8b05ff4791fbe4d7c588e35b2461f71d1ba33be5ef2ee257df
Opcode Fuzzy Hash: f8f20fe289e50002a0a54c88778f70f50b297ae81d229b3573a39973a23deb87
Instruction Fuzzy Hash: 0691AC3AB20A44E2EB90DB66D484BDF6361F794BC4F40402AEE4D57BA5DF38C656C740

Function 000000013F224EB0 Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32 ref: 000000013F224EE2

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: 5e1f820920c456f15e44ae9d5f0cc3b6f822566f542002a6e47536c5256bfc9c
Instruction ID: 734d21ec4a223bcbcc20d3cb96df90d37743f83ba87db5da1f59e7c79d1011a2
Opcode Fuzzy Hash: 5e1f820920c456f15e44ae9d5f0cc3b6f822566f542002a6e47536c5256bfc9c
Instruction Fuzzy Hash: 0101A976A45580DAFAB18720A8157D77790E3EAB09F84113CD599062A7C73CE38F8A14

Function 000000013F248C1C Relevance: 1.5, Strings: 1, Instructions: 219COMMONLIBRARYCODE

Download Yara Rule

Strings

0, xrefs: 000000013F248DD3

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: 0
API String ID: 3215553584-4108050209
Opcode ID: 0fbd957179d89af9e1d3453d65279f22830f04fe064c784c04e338e6c7bf3646
Instruction ID: d2b6e28801fd10c3885d5a8f398ba928d32cface2f569674cc35fd448e2b84d6
Opcode Fuzzy Hash: 0fbd957179d89af9e1d3453d65279f22830f04fe064c784c04e338e6c7bf3646
Instruction Fuzzy Hash: 2681E332B32640C6FBA88A6586407EF23B0F751B48F541939ED01BBA99C7B5CA4BD741

Function 000000013F2489A0 Relevance: 1.4, Strings: 1, Instructions: 199COMMONLIBRARYCODE

Download Yara Rule

Strings

0, xrefs: 000000013F248B3A

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: 0
API String ID: 3215553584-4108050209
Opcode ID: a261a21fa45f21d734edfefcd2ffe271b1157111beaf653bc061adca1a26389c
Instruction ID: c406e75773cc574d4cd0f6c143c0b6c8b39643118d18204b14075dab08d6803e
Opcode Fuzzy Hash: a261a21fa45f21d734edfefcd2ffe271b1157111beaf653bc061adca1a26389c
Instruction Fuzzy Hash: 8D710631A25690CAFB688A2992503EF23F0A742744F18193DDE01FFAD6C6E5CB478751

Function 000000013F22C96C Relevance: 1.4, Strings: 1, Instructions: 142COMMON

Download Yara Rule

Strings

gj, xrefs: 000000013F22C97B

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID:
String ID: gj
API String ID: 0-4203073231
Opcode ID: 226aa63bfce789330e15763d8953fb7d553c3450d9c1aa6f260de1088bdface5
Instruction ID: ea1d5455172fd2732f884a516b1df85dec6759e200e3b0f0b96010ef82ecd536
Opcode Fuzzy Hash: 226aa63bfce789330e15763d8953fb7d553c3450d9c1aa6f260de1088bdface5
Instruction Fuzzy Hash: C4519F37B246908BD764CF25E404A9EB3A5F388798F45511AEF8A93B09CB39DA45CF40

Function 000000013F24C838 Relevance: 1.4, Strings: 1, Instructions: 139COMMON

Download Yara Rule

Strings

@, xrefs: 000000013F24C874

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 49e7fa989fc271adaa8e130b28d1cae0d9f82f392019a5f874cdac11a507a941
Instruction ID: 584fc3fb114c73591a1c16a85a301843459550740019fdfc5e3b33f1ac2a1857
Opcode Fuzzy Hash: 49e7fa989fc271adaa8e130b28d1cae0d9f82f392019a5f874cdac11a507a941
Instruction Fuzzy Hash: DD419B72710A44C6EA04DF2AE9543EAB3A1A358FD4F89903AEF0D97754EA7CC646C300

Function 000000013F250D20 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000000013F250D24

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 4ce929ddb23f73c0a8458b43b9ad49d4d7e2a2f746430c3d48bba7e89996d797
Instruction ID: 7051c4225f43ad37627800d20e9d7ef2c9a5838c188e9a1e4f4a950e28f2a50e
Opcode Fuzzy Hash: 4ce929ddb23f73c0a8458b43b9ad49d4d7e2a2f746430c3d48bba7e89996d797
Instruction Fuzzy Hash: C5B09230E23B04C2EA082B166D863C522A4BB88740F98806CC50D41320DE2C42AA8701

Function 000000013F233964 Relevance: .9, Instructions: 931COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1df1e6e81a57214c8643d36be1bb9cde3812740f73d4ab830297bee2ffae98a2
Instruction ID: f6bbadf4fbbbb2b20aecb2a3a3c88e016aceb8d5148793a60d2d555d399db6e9
Opcode Fuzzy Hash: 1df1e6e81a57214c8643d36be1bb9cde3812740f73d4ab830297bee2ffae98a2
Instruction Fuzzy Hash: 7A82F2F3A05AC0C6D715CF68D444BED7BA1E355B88F19823FDA9A47396DA38CA46C310

Function 000000013F2176C0 Relevance: .9, Instructions: 893COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb6bb4a62616f0bcd3e2e2126cd32946fe2ad160a7c0dbd4e5bd03ed1428d6a6
Instruction ID: 581b896db5d630609a49e47cb6595c1461fea5a605b4113c1480ccc7ed847f2b
Opcode Fuzzy Hash: fb6bb4a62616f0bcd3e2e2126cd32946fe2ad160a7c0dbd4e5bd03ed1428d6a6
Instruction Fuzzy Hash: 8E627F9AD3AF9A1EE303A53954131D2E35C0EF74C9551E31BFCE431E66EB92A6832314

Function 000000013F2353F0 Relevance: .9, Instructions: 891COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83a45c88a368d7276059de07aefbbc35b61cea5d64746511b72f3674958eea04
Instruction ID: 9ae93162af9398ea6ed20d035ee3a9e97618852a38390c28fd127129e3fcea15
Opcode Fuzzy Hash: 83a45c88a368d7276059de07aefbbc35b61cea5d64746511b72f3674958eea04
Instruction Fuzzy Hash: 2E8211B3A056C0CAD726CF28D4457ED7BA1F355B48F19823BCA8D47789DA39CA86C710

Function 000000013F22BB90 Relevance: .6, Instructions: 587COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffdf8f5a64276e3eb417e3b9ae5b43350349d41efb04db03fca9f8ba9e24336f
Instruction ID: 04f2d4374ef2c46e3e73dba04e722c94ef4b7da201b4ac889fcfce53760ed8ba
Opcode Fuzzy Hash: ffdf8f5a64276e3eb417e3b9ae5b43350349d41efb04db03fca9f8ba9e24336f
Instruction Fuzzy Hash: CD22D4B3B206508BD728CF25D89AA5E3766F398744B4B8228DF06CB785DB39D605CB40

Function 000000013F234B98 Relevance: .6, Instructions: 578COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21143e83615dcc23e36b64f0d60848ac948cba63854c17a605a1a3ec217f9251
Instruction ID: ce7a93ae7d399314b83b8daddfe4d99d1db1759c7bb6854689cf56e177319e1a
Opcode Fuzzy Hash: 21143e83615dcc23e36b64f0d60848ac948cba63854c17a605a1a3ec217f9251
Instruction Fuzzy Hash: 7732D0B2A10590CBE71DCF28D551BEE37A1F354B48F05813EDA4A97B88D738DA66CB40

Function 000000013F217288 Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 063370d9e2e9571dc593e8358d008e0ec5385ad0435e9f2f5019d46da215c13b
Instruction ID: 694dc2062e6b1a70df5679d8217ec7db83317643008e1df428a75792cffba441
Opcode Fuzzy Hash: 063370d9e2e9571dc593e8358d008e0ec5385ad0435e9f2f5019d46da215c13b
Instruction Fuzzy Hash: 60C18AB7B281908FE350CF7AE400A9E3BB1F39878CB519125EF59A7B09D639D645CB40

Function 000000013F232D58 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 602477e063b5c1ca901f2159ae3c7fc010244aaa433e93e1960e83d539d05e76
Instruction ID: a46ca9a096d006c0a09047d95f2672d3989b7f6888eda47fd02eaaeeda7c81f5
Opcode Fuzzy Hash: 602477e063b5c1ca901f2159ae3c7fc010244aaa433e93e1960e83d539d05e76
Instruction Fuzzy Hash: D4A102B3A04290C6EB25DA28D444BEF6791E3A4784F59463EDE86477C6DA38CB83C750

Function 000000013F22AF18 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3f156a61251d3696a660eff3e2c5499dd818c979554cbf7ea7c30eccab92618
Instruction ID: 768ba1b368dfff248b9007498aa6c5c8978c5c4a63728ed1f7aa75d01174010e
Opcode Fuzzy Hash: e3f156a61251d3696a660eff3e2c5499dd818c979554cbf7ea7c30eccab92618
Instruction Fuzzy Hash: 4BC1D677A292E08DE302CBB5A4249FD3FB1E31D34DF4A4155EF9266B4AD2288301DF60

Function 000000013F21A310 Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: ba0d91b71a6ba36ace61fab0c0f7d4922daa1e3f8d028e3e8b3457ff5b2a4fa0
Instruction ID: 2f4509254d32f3d40536a2cae1dd04ce1059931d064ee303806709378c5b0764
Opcode Fuzzy Hash: ba0d91b71a6ba36ace61fab0c0f7d4922daa1e3f8d028e3e8b3457ff5b2a4fa0
Instruction Fuzzy Hash: E0912177B14580E6EB11CF29D4517EE6721FBA5B88F841025EF4A17B4AEA38C74BC700

Function 000000013F22B534 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfd80b8924012b3a81ce264cde7180753b201b1e387c519ebd9873ce58afa85e
Instruction ID: 2e39fab6d651601ce202bca0751ab26ff385142466aaba69627478a06e7ac4a6
Opcode Fuzzy Hash: cfd80b8924012b3a81ce264cde7180753b201b1e387c519ebd9873ce58afa85e
Instruction Fuzzy Hash: EF610137B101D0A9EB51CF7585047EE7FB1E35A784F8A802AEE9667746D638C606CB10

Function 000000013F2321D0 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8137a9b05b05aada6fbcd6bbdda66db02b1ef4637fe403d2df7c72722ebbdea5
Instruction ID: 82f736c05abf81c5e590bf3e36215d093a07b1a27e34028016a2af8a298a12b5
Opcode Fuzzy Hash: 8137a9b05b05aada6fbcd6bbdda66db02b1ef4637fe403d2df7c72722ebbdea5
Instruction Fuzzy Hash: 215104B3B141A08BE729CF28D514BEE3761F394B48F85412A9B4647AC9DA3DCA46CB40

Function 000000013F232AB0 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 525267a7f117e2089c634eae81b531c40420bccc1aa688f1dd99d62513960580
Instruction ID: 08dc8b431533043687d4e25b6d715c1bfd96be122c854d16b317d5ab251fa5ad
Opcode Fuzzy Hash: 525267a7f117e2089c634eae81b531c40420bccc1aa688f1dd99d62513960580
Instruction Fuzzy Hash: 2A31F5B2A146809BD758DE1ADAA07AF7BD1F344784F14813EDF4287B82D63CD542CB00

Function 000000013F22DC70 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a4fac86f8f1a6b9d8c17b4c2881c5c96027003405599c7815143c772f625e0d
Instruction ID: e0d759b93e0c46dfa87889242ac255f0b4db4bb5da2890ba381d0ae502d9e565
Opcode Fuzzy Hash: 6a4fac86f8f1a6b9d8c17b4c2881c5c96027003405599c7815143c772f625e0d
Instruction Fuzzy Hash: 06F0F879F1A041E2FBE8102C98193FB10569311310FE4883EE217C62C5D1A9CA835309

Function 000000013F243354 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e57e15d0ab639cfe726454a8769b7378f2b682ff734fe90589bfb13db1bf513a
Instruction ID: 4a9560274e640de64930a9b36474b7c7b8b2c1feaded5bd0154f2f96d78f5af0
Opcode Fuzzy Hash: e57e15d0ab639cfe726454a8769b7378f2b682ff734fe90589bfb13db1bf513a
Instruction Fuzzy Hash: 35A00271904C44E0E6449B50E9647E26730F350301F944079F40E510A4DFBCCA03D340

Function 000000013F21D7D0 Relevance: 26.3, APIs: 1, Strings: 14, Instructions: 98COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F21D964

Strings

::$EA_INFORMATION, xrefs: 000000013F21D828
:$TXF_DATA:$LOGGED_UTILITY_STREAM, xrefs: 000000013F21D875
::$INDEX_ALLOCATION, xrefs: 000000013F21D83E
::$DATA, xrefs: 000000013F21D812
:$I30:$INDEX_ALLOCATION, xrefs: 000000013F21D849
::$REPARSE_POINT, xrefs: 000000013F21D88B
::$LOGGED_UTILITY_STREAM, xrefs: 000000013F21D85F
::$FILE_NAME, xrefs: 000000013F21D833
::$INDEX_ROOT, xrefs: 000000013F21D854
::$ATTRIBUTE_LIST, xrefs: 000000013F21D7FC
::$OBJECT_ID, xrefs: 000000013F21D880
::$EA, xrefs: 000000013F21D81D
:$EFS:$LOGGED_UTILITY_STREAM, xrefs: 000000013F21D86A
::$BITMAP, xrefs: 000000013F21D807

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: :$EFS:$LOGGED_UTILITY_STREAM$:$I30:$INDEX_ALLOCATION$:$TXF_DATA:$LOGGED_UTILITY_STREAM$::$ATTRIBUTE_LIST$::$BITMAP$::$DATA$::$EA$::$EA_INFORMATION$::$FILE_NAME$::$INDEX_ALLOCATION$::$INDEX_ROOT$::$LOGGED_UTILITY_STREAM$::$OBJECT_ID$::$REPARSE_POINT
API String ID: 3668304517-727060406
Opcode ID: 7a6d946e213098ab8cc9fb54a64ac08de2763ec1b5bc3a926e1f7339651cfd74
Instruction ID: 67ca71dc8889d9f91f34355d8df019968d846f13855c007688e535f7ecc5204d
Opcode Fuzzy Hash: 7a6d946e213098ab8cc9fb54a64ac08de2763ec1b5bc3a926e1f7339651cfd74
Instruction Fuzzy Hash: E941D376B02F04D9EB048B65E5853DA33B9EB48798F80023ADE5D53B69EE74C256C384

Function 000000013F242A10 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 61libraryloaderCOMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 000000013F242A26
GetModuleHandleW.KERNEL32 ref: 000000013F242A33
GetModuleHandleW.KERNEL32 ref: 000000013F242A48
GetProcAddress.KERNEL32 ref: 000000013F242A60
GetProcAddress.KERNEL32 ref: 000000013F242A73
CreateEventW.KERNEL32 ref: 000000013F242A9F
DeleteCriticalSection.KERNEL32 ref: 000000013F242AEB
CloseHandle.KERNEL32 ref: 000000013F242AFD

Strings

api-ms-win-core-synch-l1-2-0.dll, xrefs: 000000013F242A2C
SleepConditionVariableCS, xrefs: 000000013F242A56
kernel32.dll, xrefs: 000000013F242A41
WakeAllConditionVariable, xrefs: 000000013F242A66

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin
String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 2565136772-3242537097
Opcode ID: 6e1e709f092c3aabc6fb1c9db3d7c09c3ef1a4a7bf2af41e7ac9402dec2f511f
Instruction ID: 0d31c57625273a8ad4482af12950cc48b01dbf9d26cde80556f9fc339ea5f821
Opcode Fuzzy Hash: 6e1e709f092c3aabc6fb1c9db3d7c09c3ef1a4a7bf2af41e7ac9402dec2f511f
Instruction Fuzzy Hash: D0211970A11A05D1FF549B62EA693E663B0AB48780F58543C9D0E567A1EFB8C78BC310

Function 000000013F226A0C Relevance: 16.2, APIs: 6, Strings: 3, Instructions: 444COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F2270A6

Part of subcall function 000000013F212004: std::_Xinvalid_argument.LIBCPMT ref: 000000013F21200F

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F2270B2
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F2270B8
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F2270C4
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F2270D6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F2270DC

Strings

DXGIDebug.dll, xrefs: 000000013F226A18
\\?\, xrefs: 000000013F226A57, 000000013F226A66
UNC, xrefs: 000000013F226BBF

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Xinvalid_argumentstd::_
String ID: DXGIDebug.dll$UNC$\\?\
API String ID: 4097890229-4048004291
Opcode ID: ee57ffdaa628a4523baa33cf3aee09a7e7a0d12a4d8e146c800fe8bc560304e6
Instruction ID: 16cc6572026d25ac0f913ad0269479f1cbb1b73b16870e33838190ab015c8942
Opcode Fuzzy Hash: ee57ffdaa628a4523baa33cf3aee09a7e7a0d12a4d8e146c800fe8bc560304e6
Instruction Fuzzy Hash: 7412DB36B05B40D0EB10DF69E4443DE6372E781B98F50422ADB6957BEADF78C68AC344

Function 000000013F23A440 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 257COMMON

Download Yara Rule

APIs

Part of subcall function 000000013F21129C: Concurrency::cancel_current_task.LIBCPMT ref: 000000013F211396

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F23A72F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F23A735
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F23A73B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F23A741
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F23A747
EndDialog.USER32 ref: 000000013F23A7BA

Strings

Software\WinRAR SFX, xrefs: 000000013F23A52B, 000000013F23A53A
GETPASSWORD1, xrefs: 000000013F23A773

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_taskDialog
String ID: GETPASSWORD1$Software\WinRAR SFX
API String ID: 431506467-1315819833
Opcode ID: e649241556eb4477795fcdb655db1f67983da935ee3a1250067e8312a05c5626
Instruction ID: b7c05555bfd32aa8e7edcb26c8e7a4c55ba36f0f4f1b99d57df28a91ef557cba
Opcode Fuzzy Hash: e649241556eb4477795fcdb655db1f67983da935ee3a1250067e8312a05c5626
Instruction Fuzzy Hash: 7AB1AEB6F11B80C5FB00DBA4D4853DE2372E785798F40423ADE5926ADADE78C647C744

Function 000000013F236E80 Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 204memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000013F237E9B), ref: 000000013F237080
CreateStreamOnHGlobal.OLE32 ref: 000000013F2370B1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F23717B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F237181
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F237187

Strings

<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head>, xrefs: 000000013F236ED5, 000000013F236EE4
<style>body{font-family:"Arial";font-size:12;}</style>, xrefs: 000000013F236F2C, 000000013F236F3B
<html>, xrefs: 000000013F236F13
</html>, xrefs: 000000013F236F72, 000000013F236F81

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Global$AllocCreateStream
String ID: </html>$<html>$<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head>$<style>body{font-family:"Arial";font-size:12;}</style>
API String ID: 2868844859-1533471033
Opcode ID: 51127e303019f1fa10426485046a28b2719f38416803858a6fe94b28818fe22a
Instruction ID: 7ecd4ef18e2ada7b73cf3794d35af7f54f9539c6190f7f6558eb9bab5cbea9aa
Opcode Fuzzy Hash: 51127e303019f1fa10426485046a28b2719f38416803858a6fe94b28818fe22a
Instruction Fuzzy Hash: CE8168B2B14A44D5FB00DBA6D8443DE7371EB49798F40453ADE1A27AAAEE74C60BC344

Function 000000013F24E650 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 117COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000000013F24E7CD

Strings

nan(ind), xrefs: 000000013F24E706
inf, xrefs: 000000013F24E6D6
INF, xrefs: 000000013F24E6C3
NAN(IND), xrefs: 000000013F24E6FB
nan, xrefs: 000000013F24E6B8
nan(snan), xrefs: 000000013F24E6F0
NAN, xrefs: 000000013F24E6B1
NAN(SNAN), xrefs: 000000013F24E6E5

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: INF$NAN$NAN(IND)$NAN(SNAN)$inf$nan$nan(ind)$nan(snan)
API String ID: 3215553584-2617248754
Opcode ID: ca8329083cbd7a022b2adefca7a3bb58d0ae1dff90efa4c28dbe4d3f14657870
Instruction ID: 73fa2f91d946df4dfd552283a50324b87e78a15dfab8c7fff24712c0332f7284
Opcode Fuzzy Hash: ca8329083cbd7a022b2adefca7a3bb58d0ae1dff90efa4c28dbe4d3f14657870
Instruction Fuzzy Hash: 5F418972A02B44C9FB04CF35E8417DA37A4E718398F41453AAE9D57B94EA78C26AC384

Function 000000013F23F390 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 85windowCOMMON

Download Yara Rule

APIs

GetWindow.USER32 ref: 000000013F23F3CF
GetClassNameW.USER32 ref: 000000013F23F3FC
GetWindowLongPtrW.USER32 ref: 000000013F23F41D
SendMessageW.USER32 ref: 000000013F23F437
GetObjectW.GDI32 ref: 000000013F23F452
SendMessageW.USER32 ref: 000000013F23F487
DeleteObject.GDI32 ref: 000000013F23F490
GetWindow.USER32 ref: 000000013F23F49E

Strings

STATIC, xrefs: 000000013F23F402

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: Window$MessageObjectSend$ClassDeleteLongName
String ID: STATIC
API String ID: 2845197485-1882779555
Opcode ID: 028936735c5caa7e1c5955390d3996a5d13f8d6e72d7f98742e6e6c768b0ab82
Instruction ID: efb80b97dd98e8db0fc33bd8e1ba034c8015b245252ad52947bfc66f43e7456c
Opcode Fuzzy Hash: 028936735c5caa7e1c5955390d3996a5d13f8d6e72d7f98742e6e6c768b0ab82
Instruction Fuzzy Hash: F431CF76B04A40C2FA64DB12A5147EB23A1F789BC0F010039DE490BB96DF3CCA0B8740

Function 000000013F23AE90 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94COMMON

Download Yara Rule

Strings

LICENSEDLG, xrefs: 000000013F23AEAE

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: ItemTextWindow
String ID: LICENSEDLG
API String ID: 2478532303-2177901306
Opcode ID: 35fefc179f922e98870b8a3b257cf5e504c5ed53f195972dc606f5139ed8380b
Instruction ID: e90b9384c60c11783b9b01daa7ac55977eea3c9c49fbb3f512ed50b0c19890db
Opcode Fuzzy Hash: 35fefc179f922e98870b8a3b257cf5e504c5ed53f195972dc606f5139ed8380b
Instruction Fuzzy Hash: E5418B75A04A50C2FB549B51E8547EB23A1E788F94F04413EED0A0BBA6CF7DCB4B8700

Function 000000013F22B9B4 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 84libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 000000013F22BA12
GetProcAddress.KERNEL32 ref: 000000013F22BA2D
GetCurrentProcessId.KERNEL32 ref: 000000013F22BACA

Part of subcall function 000000013F22DFD0: GetSystemDirectoryW.KERNEL32 ref: 000000013F22DDDF

Strings

CryptUnprotectMemory failed, xrefs: 000000013F22BAC1
CryptUnprotectMemory, xrefs: 000000013F22BA1F
CryptProtectMemory failed, xrefs: 000000013F22BA80
CryptProtectMemory, xrefs: 000000013F22BA08
Crypt32.dll, xrefs: 000000013F22B9F0

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: AddressProc$CurrentDirectoryProcessSystem
String ID: Crypt32.dll$CryptProtectMemory$CryptProtectMemory failed$CryptUnprotectMemory$CryptUnprotectMemory failed
API String ID: 2915667086-2207617598
Opcode ID: 6794cfd2df2083ddb130d433e4ca33b69faefb70ddab7dfcfa84983386d80e8a
Instruction ID: de0973201b363cf36ab19a6f331302b32abeccd7dff29255f0f8d3e033b2d6f5
Opcode Fuzzy Hash: 6794cfd2df2083ddb130d433e4ca33b69faefb70ddab7dfcfa84983386d80e8a
Instruction Fuzzy Hash: 57315938E01B04D0FE548B26A9643E777A0EB48B90F48913DEC5A4B7A6DF38C74B8344

Function 000000013F2387D8 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 415COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F238DB6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F238DC2
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F238DCE
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F238DDA
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F238DE0

Strings

, xrefs: 000000013F2388BE
, xrefs: 000000013F238A55

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: $
API String ID: 3668304517-227171996
Opcode ID: fba1bd8aa635f3f6d5198a4fd819999d9510bb129eafd649dd3f86975facee9e
Instruction ID: 1b1e27701220d7010a67a3857da3e4e631fe8ef6a06ddb0e06325b217e24d870
Opcode Fuzzy Hash: fba1bd8aa635f3f6d5198a4fd819999d9510bb129eafd649dd3f86975facee9e
Instruction Fuzzy Hash: 08F1AEB3F11B48C0EE049BA5D6443EE2372E754BA8F50562ACF691B7D9DB78C286C344

Function 000000013F2457EC Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 317COMMONLIBRARYCODE

Download Yara Rule

APIs

Is_bad_exception_allowed.LIBVCRUNTIME ref: 000000013F24598A
std::bad_alloc::bad_alloc.LIBCMT ref: 000000013F245CAD
abort.LIBCMT ref: 000000013F245CE1

Strings

csm, xrefs: 000000013F2458D1
csm, xrefs: 000000013F245933
csm, xrefs: 000000013F2459B1

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: Is_bad_exception_allowedabortstd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 2940173790-393685449
Opcode ID: 65edb01f61f21fff02eaccc9a46b43a233fa456fccf40e480b66f774ee54b1a7
Instruction ID: 0e0a972be0c4191db12882ef46d4c1dfb3745f3912a9d783f1037b61487d27be
Opcode Fuzzy Hash: 65edb01f61f21fff02eaccc9a46b43a233fa456fccf40e480b66f774ee54b1a7
Instruction Fuzzy Hash: F2E17A73A00A90CAE721DB65D4823DE7BB0F745758F14422AEE8967A96CF74C686CB40

Function 000000013F224F38 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 158COMMON

Download Yara Rule

APIs

Part of subcall function 000000013F224E24: SysAllocString.OLEAUT32 ref: 000000013F224E5F

VariantClear.OLEAUT32 ref: 000000013F225125

Strings

SELECT * FROM Win32_OperatingSystem, xrefs: 000000013F225017
ROOT\CIMV2, xrefs: 000000013F224F7B
Windows 10, xrefs: 000000013F22510A
Name, xrefs: 000000013F2250F9
WQL, xrefs: 000000013F22502A

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: AllocClearStringVariant
String ID: Name$ROOT\CIMV2$SELECT * FROM Win32_OperatingSystem$WQL$Windows 10
API String ID: 1959693985-3505469590
Opcode ID: a8b35b7bcd37d82ee4aaa20c3b876beaab518b1de9e1ce59ea14af8b32f1fe8d
Instruction ID: f3fc46c889648f91ba412d5db9fa1d25f4cb1a510445df65c32803d78d9d9312
Opcode Fuzzy Hash: a8b35b7bcd37d82ee4aaa20c3b876beaab518b1de9e1ce59ea14af8b32f1fe8d
Instruction Fuzzy Hash: AF712C36A10A04D9EB60CF25E9817DE77B4FB88B98F45512AEE4E47B68CF38C645C700

Function 000000013F241604 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 43libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,000000013F241573,?,?,?,000000013F24192A), ref: 000000013F24162B
GetProcAddress.KERNEL32(?,?,?,000000013F241573,?,?,?,000000013F24192A), ref: 000000013F241648
GetProcAddress.KERNEL32(?,?,?,000000013F241573,?,?,?,000000013F24192A), ref: 000000013F241664

Strings

ReleaseSRWLockExclusive, xrefs: 000000013F241653
AcquireSRWLockExclusive, xrefs: 000000013F24163E
KERNEL32.DLL, xrefs: 000000013F241624

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
API String ID: 667068680-1718035505
Opcode ID: 4fe35f58cd4175722fa2f4edd42b7d77b08fa8d78ae8e9bf73ccac7c2071e7f8
Instruction ID: 7376f6f57124e90e81dd5393b4c0c196059b84d2791a73ca929b7915a0bc6aca
Opcode Fuzzy Hash: 4fe35f58cd4175722fa2f4edd42b7d77b08fa8d78ae8e9bf73ccac7c2071e7f8
Instruction Fuzzy Hash: 8A112D30E22B04C1FE668F12AA443E763A56B08794F5D543D8C1E16794EEBCC68B8700

Function 000000013F22ED24 Relevance: 9.1, APIs: 6, Instructions: 120timeCOMMON

Download Yara Rule

APIs

Part of subcall function 000000013F2251A4: GetVersionExW.KERNEL32 ref: 000000013F2251D5

FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,000000013F215AB4), ref: 000000013F22ED8C
FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,000000013F215AB4), ref: 000000013F22ED98
SystemTimeToTzSpecificLocalTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,000000013F215AB4), ref: 000000013F22EDA8
SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,000000013F215AB4), ref: 000000013F22EDB6
SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,000000013F215AB4), ref: 000000013F22EDC4
FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,000000013F215AB4), ref: 000000013F22EE05

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion
String ID:
API String ID: 2092733347-0
Opcode ID: 197518eb8103cda2bd6b54f1f5e99fa721289ee203340eaf45d2c62117a67569
Instruction ID: 185c51bf08b7752dcbd3d852fcb2eb78a4e42926759e8e1b8e7d4dcfcb991d6e
Opcode Fuzzy Hash: 197518eb8103cda2bd6b54f1f5e99fa721289ee203340eaf45d2c62117a67569
Instruction Fuzzy Hash: 01518AB2B00A50CBEB54CFA9D4453ED77B1F348B98F60402ADE0AA7B58DB78D646C700

Function 000000013F22F010 Relevance: 9.1, APIs: 6, Instructions: 80timeCOMMON

Download Yara Rule

APIs

SystemTimeToFileTime.KERNEL32 ref: 000000013F22F074

Part of subcall function 000000013F2251A4: GetVersionExW.KERNEL32 ref: 000000013F2251D5

LocalFileTimeToFileTime.KERNEL32 ref: 000000013F22F096
FileTimeToSystemTime.KERNEL32 ref: 000000013F22F0A2
TzSpecificLocalTimeToSystemTime.KERNEL32 ref: 000000013F22F0B2
SystemTimeToFileTime.KERNEL32 ref: 000000013F22F0C0
SystemTimeToFileTime.KERNEL32 ref: 000000013F22F0CE

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion
String ID:
API String ID: 2092733347-0
Opcode ID: 93bf5fe4be91675a5f4cba4a2df0f2c5ed0bd126a165fd4d88c3e7d5e64543a6
Instruction ID: 9d85dbc71d73ad05a6e587ce3bb28337a84f25e88ed9e2be5c018aba85710515
Opcode Fuzzy Hash: 93bf5fe4be91675a5f4cba4a2df0f2c5ed0bd126a165fd4d88c3e7d5e64543a6
Instruction Fuzzy Hash: 39312976B10A50DDEB00CFB5D8813ED7770FB08758F54502AEE0AA7A58EB78C596C711

Function 000000013F227918 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 233COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F227C8C

Strings

.rar, xrefs: 000000013F227969, 000000013F227978
sfx, xrefs: 000000013F2279F3, 000000013F227A02
exe, xrefs: 000000013F2279AF, 000000013F2279BE
rar, xrefs: 000000013F227A9B, 000000013F227AAA, 000000013F227B67, 000000013F227B7C

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: .rar$exe$rar$sfx
API String ID: 3668304517-630704357
Opcode ID: cd8554260ddee3f68471b11ee4aef8921e4c722a44e964939d6ce9a91093e1e4
Instruction ID: e671121ad0a734213dc874b26c8d753dde4e9dffc347283c659a09d93008225e
Opcode Fuzzy Hash: cd8554260ddee3f68471b11ee4aef8921e4c722a44e964939d6ce9a91093e1e4
Instruction Fuzzy Hash: C0A1AE3AA10A04E0EB449F25D8953EE2371F755BA8F901239DE1A176EADF78C687C340

Function 000000013F245CE8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 191COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 000000013F245D58

Part of subcall function 000000013F245210: abort.LIBCMT ref: 000000013F245223

_CallSETranslator.LIBVCRUNTIME ref: 000000013F245DA3
abort.LIBCMT ref: 000000013F245FD1

Strings

RCC, xrefs: 000000013F245D74
MOC, xrefs: 000000013F245D6C

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: abort$CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 2889003569-2084237596
Opcode ID: 0f4c2d06ef2d655583c55900dbb020dcf620b12558a4295111afe460be181df6
Instruction ID: 2ba1118330794c43c45e79bb1c2e4f72b93f058b0c6cac740a205fe4015f70a9
Opcode Fuzzy Hash: 0f4c2d06ef2d655583c55900dbb020dcf620b12558a4295111afe460be181df6
Instruction Fuzzy Hash: B0914B73A04B94CAE711CB65E8813DE7BB0F745788F14412AEE8967B59DF78C296CB00

Function 000000013F244F80 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMONLIBRARYCODE

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000000013F244FAB
_IsNonwritableInCurrentImage.LIBCMT ref: 000000013F245040
RtlUnwindEx.KERNEL32 ref: 000000013F24508F

Strings

csm, xrefs: 000000013F245026
f, xrefs: 000000013F244FBE

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: a7c39da158025e753bf36dfb1e051fd0b17def11f5f8def40396cbfe1c046983
Instruction ID: d2123708d9dfd8acd07e88e3c265e0cedad91579ae97ff46c1217c39a49849bf
Opcode Fuzzy Hash: a7c39da158025e753bf36dfb1e051fd0b17def11f5f8def40396cbfe1c046983
Instruction Fuzzy Hash: E451B336A11600CBEB14CF15E445B9A77B5F344B88F518038EE9A67788DFB4CA42CB40

Function 000000013F21CEE0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 139COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 000000013F21D03D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F21D0D1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F21D0D7

Part of subcall function 000000013F21DE04: GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,000000013F21CF4B), ref: 000000013F21DE27
Part of subcall function 000000013F21DE04: GetLastError.KERNEL32 ref: 000000013F21DE88
Part of subcall function 000000013F21DE04: CloseHandle.KERNEL32 ref: 000000013F21DE9B

Strings

SeSecurityPrivilege, xrefs: 000000013F21CF3F
SeRestorePrivilege, xrefs: 000000013F21CF5E

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: ErrorLast_invalid_parameter_noinfo_noreturn$CloseCurrentHandleProcess
String ID: SeRestorePrivilege$SeSecurityPrivilege
API String ID: 2102711378-639343689
Opcode ID: 7d18d790379317f0803995c178e88ab79334658891d984f74db8c16d37a5e77c
Instruction ID: 240fc3cd9c07421bc80502c2127d2790154fe2cc30559bee17652a338641937b
Opcode Fuzzy Hash: 7d18d790379317f0803995c178e88ab79334658891d984f74db8c16d37a5e77c
Instruction Fuzzy Hash: 5C51BD7AF10B40C5FB10DB75D8413EF27B1A7897A4F900139EE59576A6EB78C68BC204

Function 000000013F237B28 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 122COMMON

Download Yara Rule

APIs

ShowWindow.USER32 ref: 000000013F237B6F
GetWindowRect.USER32 ref: 000000013F237BC0
ShowWindow.USER32 ref: 000000013F237C96
ShowWindow.USER32 ref: 000000013F237CC3

Strings

RarHtmlClassName, xrefs: 000000013F237C4B

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: Window$Show$Rect
String ID: RarHtmlClassName
API String ID: 2396740005-1658105358
Opcode ID: 7f8a0b662af83a4f47b362c37f36e9414f73daccdb18f375bc1ce0a7ee57f15d
Instruction ID: 614fda70c30c1fcece54fa304bc16942eed30fa91bf131a31c8ba99907a0c139
Opcode Fuzzy Hash: 7f8a0b662af83a4f47b362c37f36e9414f73daccdb18f375bc1ce0a7ee57f15d
Instruction Fuzzy Hash: 14517376A09F80CAEB64DB25E4543ABA7A1F789B80F04443ADE8647B55DF3CD5468B00

Function 000000013F23FD0C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 76COMMON

Download Yara Rule

APIs

SetEnvironmentVariableW.KERNEL32 ref: 000000013F23FD43
SetEnvironmentVariableW.KERNEL32 ref: 000000013F23FDBC
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F23FE1B

Strings

sfxcmd, xrefs: 000000013F23FD3C
sfxpar, xrefs: 000000013F23FDB5

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: EnvironmentVariable$_invalid_parameter_noinfo_noreturn
String ID: sfxcmd$sfxpar
API String ID: 3540648995-3493335439
Opcode ID: a2f2ff4eec9cd023bea60e191487a3fc7b1107ac2ef23f4bce237efce2fc713f
Instruction ID: a36863dd8651e837b24084c9a72b90e4406da0af962cc54adec9e8a143f45ffc
Opcode Fuzzy Hash: a2f2ff4eec9cd023bea60e191487a3fc7b1107ac2ef23f4bce237efce2fc713f
Instruction Fuzzy Hash: F5317E72A10B48C4EF04CBA5E8893DE3371F748B98F54012ADE5E57BA9DE74C242C384

Function 000000013F23FED4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 52COMMON

Download Yara Rule

Strings

RENAMEDLG, xrefs: 000000013F23FF60
REPLACEFILEDLG, xrefs: 000000013F23FF34, 000000013F23FF99

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID:
String ID: RENAMEDLG$REPLACEFILEDLG
API String ID: 0-56093855
Opcode ID: 98f895654b64cd1d2f90e97d30244ed9b67d31cc2014a88c355cd353264df31a
Instruction ID: 3ea0cad53357b03331b0f0f7a27ad6b179e4eadf876aca9374746c8278ec8644
Opcode Fuzzy Hash: 98f895654b64cd1d2f90e97d30244ed9b67d31cc2014a88c355cd353264df31a
Instruction Fuzzy Hash: E921E4B1A05F45C0FA148B59B8443EA67A1E34AB88F14013ED959473A2DB3CC68BC740

Function 000000013F24BFB0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 000000013F24BFD0
GetProcAddress.KERNEL32 ref: 000000013F24BFE6
FreeLibrary.KERNEL32 ref: 000000013F24C00B

Strings

CorExitProcess, xrefs: 000000013F24BFDF
mscoree.dll, xrefs: 000000013F24BFC7

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 42a4ca90c7c49dddb16080121233970ff8583544d2054868cb5f0899d871e2db
Instruction ID: 6d10b0998edb5d21d11aa36a0e71de494284e9e60962646ebec914538b7cb430
Opcode Fuzzy Hash: 42a4ca90c7c49dddb16080121233970ff8583544d2054868cb5f0899d871e2db
Instruction Fuzzy Hash: 2FF06235A11A44C1EF498B25F4483EAA3A0EB88794F44603DDD4F46665DF7CC68AC700

Function 000000013F2545C0 Relevance: 7.7, APIs: 5, Instructions: 203COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000000013F254605

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: cf462e6f26ae3af6f96c078c51b53c82231ed120809331cf2f591469c69a5a17
Instruction ID: 9fd909aab3c3ace5bf353da4956ed01f9f55b2a852425daa540ce0f34aa22e2e
Opcode Fuzzy Hash: cf462e6f26ae3af6f96c078c51b53c82231ed120809331cf2f591469c69a5a17
Instruction Fuzzy Hash: 4581CB72F20650C9FB209B6698A8BEEE6A0B345B98F41412DDE0F57B95CB34C647C310

Function 000000013F223AF8 Relevance: 7.7, APIs: 5, Instructions: 164filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 000000013F223BBB
CreateFileW.KERNEL32 ref: 000000013F223C24
SetFileTime.KERNEL32 ref: 000000013F223CEC
CloseHandle.KERNEL32 ref: 000000013F223CF6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F223D2C

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: File$Create$CloseHandleTime_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2398171386-0
Opcode ID: 2e61f30820f3e69737d9660ab18874bee1eef0c333cff69c88e9078c01ead55e
Instruction ID: 0bb87cb89da91f850b5f673ab427f6afcb87e032443e7267346a24f5fa3a7223
Opcode Fuzzy Hash: 2e61f30820f3e69737d9660ab18874bee1eef0c333cff69c88e9078c01ead55e
Instruction Fuzzy Hash: 8351B376F10A40E9FB90CFB5E8547EE63B1A7887A8F4046399E5D567D8DE34CA4AC300

Function 000000013F253F34 Relevance: 7.6, APIs: 5, Instructions: 142fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32 ref: 000000013F253F91
WideCharToMultiByte.KERNEL32 ref: 000000013F25406D
WriteFile.KERNEL32 ref: 000000013F254093
WriteFile.KERNEL32 ref: 000000013F2540D2
GetLastError.KERNEL32 ref: 000000013F25410A

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiWide
String ID:
API String ID: 3659116390-0
Opcode ID: 8f90b3f8899b92826fb288bc35eb601c263b89b4fb676f823db5d062d6f6b41f
Instruction ID: 92de78a99bfbb9018882d24e6c2a33ec02b323b84ca6bbc0c1b2f6ac0ae70b7b
Opcode Fuzzy Hash: 8f90b3f8899b92826fb288bc35eb601c263b89b4fb676f823db5d062d6f6b41f
Instruction Fuzzy Hash: 2451A132A10A50C9EB14CF66E4587DEBBB1F344798F148129DE4A57B99DB34C246C700

Function 000000013F241E00 Relevance: 7.6, APIs: 5, Instructions: 137memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 000000013F241E87
MultiByteToWideChar.KERNEL32 ref: 000000013F241F09
SysAllocString.OLEAUT32 ref: 000000013F241F16

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: ByteCharMultiWide$AllocString
String ID:
API String ID: 262959230-0
Opcode ID: 7e9601d2247a13adf5892490d0984888a090eff7ba9d3fa4ff308a8b8e371313
Instruction ID: d322c2f10391a1a92cd2eece449942cbdaf60b7298e72130bd39d9b370f25321
Opcode Fuzzy Hash: 7e9601d2247a13adf5892490d0984888a090eff7ba9d3fa4ff308a8b8e371313
Instruction Fuzzy Hash: 4B41B031B01748CAEB559F6694443EA72A1F708BA4F54463CEE6EA7BD5DBB8C2438300

Function 000000013F2556D8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 000000013F2556FF
_set_statfp.LIBCMT ref: 000000013F25571A
_set_statfp.LIBCMT ref: 000000013F255736
_set_statfp.LIBCMT ref: 000000013F255772

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: f3bd3298a46f29c998dca386ec4adc9bd6d7efdfabb851da102e47160911a3a1
Instruction ID: 16d092522e11489e489bbbb33cc13f895bf541eddb6564683275cea53c8c575a
Opcode Fuzzy Hash: f3bd3298a46f29c998dca386ec4adc9bd6d7efdfabb851da102e47160911a3a1
Instruction Fuzzy Hash: 7A110C36E10B05CDF6541124E54F3EB95816B553BCF48423CEA7F0A6D6DB34CA434207

Function 000000013F23FE24 Relevance: 7.5, APIs: 5, Instructions: 29windowsynchronizationCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32 ref: 000000013F23FE41
GetMessageW.USER32 ref: 000000013F23FE58
TranslateMessage.USER32 ref: 000000013F23FE63
DispatchMessageW.USER32 ref: 000000013F23FE6E
WaitForSingleObject.KERNEL32 ref: 000000013F23FE7C

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: Message$DispatchObjectPeekSingleTranslateWait
String ID:
API String ID: 3621893840-0
Opcode ID: eb57a341668d454e4e6cd52f39bb1811463ddcab187ea95c48cb89abc8d18535
Instruction ID: 1b1dffb1cde838925af35a96baf2fdb41b64d80d26a20f11ea57fe749ebcd569
Opcode Fuzzy Hash: eb57a341668d454e4e6cd52f39bb1811463ddcab187ea95c48cb89abc8d18535
Instruction Fuzzy Hash: 67F06D32B30845C2FB109B20F899BAB2321FBE4B05F841034EA4B45895DF2CC64ECB10

Function 000000013F24625C Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMONLIBRARYCODE

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000000013F246286
abort.LIBCMT ref: 000000013F2464EA

Strings

csm, xrefs: 000000013F24641A
csm, xrefs: 000000013F2462AB

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: __except_validate_context_recordabort
String ID: csm$csm
API String ID: 746414643-3733052814
Opcode ID: 91fc108a1c492767e4bb41002f60c2920875b1ec76e01922ab372504797a4c8e
Instruction ID: 42118b5dd9181ccc14145dca5893266b4d3f3f7717ebe4640e5251b4aad9b19d
Opcode Fuzzy Hash: 91fc108a1c492767e4bb41002f60c2920875b1ec76e01922ab372504797a4c8e
Instruction Fuzzy Hash: 07719272A046D0CADB718F25D4507AEBFB1F305F99F14812ADE8867B89CB78C696C740

Function 000000013F2480F4 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000000013F24811B
_invalid_parameter_noinfo.LIBCMT ref: 000000013F2482ED

Strings

, xrefs: 000000013F248276
*, xrefs: 000000013F248221

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: $*
API String ID: 3215553584-3982473090
Opcode ID: 42643a1ee39b50d27a50b926b179a62c0cdc4d381fe14b17104e750277292b9f
Instruction ID: d841cc90bc2988695fce1df080bb68f7e2e60a7509dc972a4e93e9eefa43021f
Opcode Fuzzy Hash: 42643a1ee39b50d27a50b926b179a62c0cdc4d381fe14b17104e750277292b9f
Instruction Fuzzy Hash: 40514072924A90CAF769CE3886453EE3BB1F706B19F14113ECE4666299C7B4C683DA05

Function 000000013F251758 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 126COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 000000013F2517CB
MultiByteToWideChar.KERNEL32 ref: 000000013F251894
GetStringTypeW.KERNEL32 ref: 000000013F2518AE

Strings

$%s, xrefs: 000000013F25175A

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: ByteCharMultiWide$StringType
String ID: $%s
API String ID: 3586891840-3791308623
Opcode ID: 8174e861c2faa6f2f7f5292a0ee7474812abc1109b8acb2517e9a7bc716d8d39
Instruction ID: 1deb968a7d8868c985f4a5f4c2f873e558c6382047618960f6828d87398ab111
Opcode Fuzzy Hash: 8174e861c2faa6f2f7f5292a0ee7474812abc1109b8acb2517e9a7bc716d8d39
Instruction Fuzzy Hash: 5C41C832B11B80CAFF618F26D8087DA63A1F754BA8F4802399E1E5B7C5DF78D6428300

Function 000000013F2466A0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

Part of subcall function 000000013F245210: abort.LIBCMT ref: 000000013F245223

__except_validate_context_record.LIBVCRUNTIME ref: 000000013F24674A
_CreateFrameInfo.LIBVCRUNTIME ref: 000000013F246776

Strings

csm, xrefs: 000000013F246876

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: CreateFrameInfo__except_validate_context_recordabort
String ID: csm
API String ID: 2466640111-1018135373
Opcode ID: ef48871438151390fa300b301edbe87f2aaf35895cd4fd9de5e2d21b12dcaab2
Instruction ID: cdb8c2b07d2ac3c36f0d746f27af6c9b1d4785f1156ddb7d3fc97a6ad9b0706b
Opcode Fuzzy Hash: ef48871438151390fa300b301edbe87f2aaf35895cd4fd9de5e2d21b12dcaab2
Instruction Fuzzy Hash: B0515B72A15B50C7EA20EB26E44139F7BB4F389B90F540529EF8917B56CF78C562CB00

Function 000000013F24C2C0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 107COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000000013F24C2EA
GetModuleFileNameA.KERNEL32(?,?,?,?,?,000000013F242CD5), ref: 000000013F24C30B

Strings

C:\Users\user\Desktop\0442.pdf.exe, xrefs: 000000013F24C2F9
0&, xrefs: 000000013F24C311

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: FileModuleName_invalid_parameter_noinfo
String ID: 0&$C:\Users\user\Desktop\0442.pdf.exe
API String ID: 3307058713-1160771536
Opcode ID: 2b307fc7043d57580c2760bc14d10e66149d3294dbd6a1f00798eb6953a6f573
Instruction ID: 8c8c2ac632d99d705c783bd4dd817a576e837e82a164a1534f44e31a18d9764d
Opcode Fuzzy Hash: 2b307fc7043d57580c2760bc14d10e66149d3294dbd6a1f00798eb6953a6f573
Instruction Fuzzy Hash: EA417B72A00A50CAEB15DF2AA8403EE77B4E784BD4F45403AEE4A57B46DF79C6428740

Function 000000013F254360 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32 ref: 000000013F254446
WriteFile.KERNEL32 ref: 000000013F254479
GetLastError.KERNEL32 ref: 000000013F25449B

Strings

U, xrefs: 000000013F254424

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: ByteCharErrorFileLastMultiWideWrite
String ID: U
API String ID: 2456169464-4171548499
Opcode ID: a3c4996b5397ae7c68c43f4944c85cd830f0b958292ccb38960a62bfe152ddee
Instruction ID: eb077b74b303f61d1274110f8a3f8fb9fdbce5be15b4e61ae846f5d9df02314a
Opcode Fuzzy Hash: a3c4996b5397ae7c68c43f4944c85cd830f0b958292ccb38960a62bfe152ddee
Instruction Fuzzy Hash: E441A232615A84C2EB208F26E8597EAF7A1F788794F444135EE4E87B98DB7CC646C740

Function 000000013F2390B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 000000013F2390D9
GetObjectW.GDI32 ref: 000000013F239107
ReleaseDC.USER32 ref: 000000013F2391BB

Strings

, xrefs: 000000013F239153

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: ObjectRelease
String ID:
API String ID: 1429681911-3916222277
Opcode ID: 0b5772d91688d342ea342be5c9c3c9ea07a5ad9e93d570546deb1a9808731c40
Instruction ID: 88cc3a5cfbcb0cabd6d55f3487450b1593c4d0a90cb9cf9b70896a6f241fd880
Opcode Fuzzy Hash: 0b5772d91688d342ea342be5c9c3c9ea07a5ad9e93d570546deb1a9808731c40
Instruction Fuzzy Hash: 5C313436615B4086EA049F12B818B9BB7A0F389FD5F504439EE4A57B69CF3CE54ECB10

Function 000000013F22E870 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(?,?,?,000000013F23317F,?,?,00001000,000000013F21E51D), ref: 000000013F22E8BB
CreateSemaphoreW.KERNEL32 ref: 000000013F22E8CB
CreateEventW.KERNEL32(?,?,?,000000013F23317F,?,?,00001000,000000013F21E51D), ref: 000000013F22E8E4

Strings

Thread pool initialization failed., xrefs: 000000013F22E900

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: Create$CriticalEventInitializeSectionSemaphore
String ID: Thread pool initialization failed.
API String ID: 3340455307-2182114853
Opcode ID: 6610cce2f1ff4f40d78c24fcbab0d777ace7136147ab701da82aad1b7a389e44
Instruction ID: b73f11190d3b86bff771da3939ad93ae16d0cf120e18c2e2fe927d33fec4332a
Opcode Fuzzy Hash: 6610cce2f1ff4f40d78c24fcbab0d777ace7136147ab701da82aad1b7a389e44
Instruction Fuzzy Hash: FB21B432E11A44C6FB508F24D4587DE36A2F798B0CF188038CA494A295DFBEC656C784

Function 000000013F2385E0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 000000013F2385EC
GetDeviceCaps.GDI32 ref: 000000013F2385FD
ReleaseDC.USER32 ref: 000000013F23860A

Strings

, xrefs: 000000013F238610

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: CapsDeviceRelease
String ID:
API String ID: 127614599-3916222277
Opcode ID: a42f7bf34e2550c06df92b4c4441a28b155cc5d7cfc3f2a0da00e80f490195b4
Instruction ID: 6a7f6d5dd244ea8fb6ae81f2de591c81b70e407cc2b1d2e2ca0f00fd8ace6a4e
Opcode Fuzzy Hash: a42f7bf34e2550c06df92b4c4441a28b155cc5d7cfc3f2a0da00e80f490195b4
Instruction Fuzzy Hash: 4BE0C230B04A40C2FB0867B6B58932B2261E34CBD0F158039DA1B47799CF3CC5CA4310

Function 000000013F21D1A8 Relevance: 6.2, APIs: 4, Instructions: 238timeCOMMON

Download Yara Rule

APIs

SetFileTime.KERNEL32 ref: 000000013F21D46C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F21D554
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F21D55A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F21D560

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$FileTime
String ID:
API String ID: 1137671866-0
Opcode ID: fd4bf53bfdfb75847e8e456477d5ec84f1ccce8e3f545aec7fedd5d5e9a8f738
Instruction ID: dfb8d8a5cc5a14e6f61799aac59216c220d6cf4cd74d7747a8d754e0d30b488f
Opcode Fuzzy Hash: fd4bf53bfdfb75847e8e456477d5ec84f1ccce8e3f545aec7fedd5d5e9a8f738
Instruction Fuzzy Hash: 9EA1CC76B10B84D2EA10DB65E8843DF6371F785784F80522AEA9D17AEADF38C746C704

Function 000000013F230548 Relevance: 6.1, APIs: 4, Instructions: 122COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 000000013F2305FC
SetLastError.KERNEL32 ref: 000000013F230697

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 7936dbe671a94e08b05b2b3b32e462f49504e3c7108ba41fc675490ea87a0fab
Instruction ID: 949440b38a13aa58af26cf0378b5efa76c30d63aad67bac82a5dae43551cc8b3
Opcode Fuzzy Hash: 7936dbe671a94e08b05b2b3b32e462f49504e3c7108ba41fc675490ea87a0fab
Instruction Fuzzy Hash: B851AD72B10A44D9FB00DB65D4453DE2331E788B98F40423AEA5C57BEAEE74C346C344

Function 000000013F239D90 Relevance: 6.1, APIs: 4, Instructions: 106COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 000000013F239DBC
GetLastError.KERNEL32 ref: 000000013F239E08
CreateDirectoryW.KERNEL32 ref: 000000013F239F10
LocalFree.KERNEL32 ref: 000000013F239F20

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: CreateCurrentDirectoryErrorFreeLastLocalProcess
String ID:
API String ID: 1077098981-0
Opcode ID: decc2da6846149065e747433b686ffe20880dedc2611ac47de6390cb5f5191d4
Instruction ID: 30a457f93e5754f93544bace94ef193a92df5fbd506e01761de39e9d2d14f1a8
Opcode Fuzzy Hash: decc2da6846149065e747433b686ffe20880dedc2611ac47de6390cb5f5191d4
Instruction Fuzzy Hash: 05516D32A14B41C6EB508F62E4447DF77B5F785B84F50102AEA8A67A58DF3CC60ACB40

Function 000000013F24DB5C Relevance: 6.1, APIs: 4, Instructions: 104COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000000013F24DBAF
WideCharToMultiByte.KERNEL32 ref: 000000013F24DC81
GetLastError.KERNEL32 ref: 000000013F24DCA4
_invalid_parameter_noinfo.LIBCMT ref: 000000013F24DCD6

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: _invalid_parameter_noinfo$ByteCharErrorLastMultiWide
String ID:
API String ID: 4141327611-0
Opcode ID: fdb879c7c344a6dcddabd48f24568e2f5e84c2dc3f6ceef9c32cec135b3ccbbf
Instruction ID: e51a1009edc095915fbbe917cbaf1e85b4a087d95d75676529980f6d62813751
Opcode Fuzzy Hash: fdb879c7c344a6dcddabd48f24568e2f5e84c2dc3f6ceef9c32cec135b3ccbbf
Instruction Fuzzy Hash: AE41B572E06780C6FB65DF50D1403EBA6B0EB90B90F968139DB5567AD5DBF8CA438B00

Function 000000013F223980 Relevance: 6.1, APIs: 4, Instructions: 101fileCOMMON

Download Yara Rule

APIs

MoveFileW.KERNEL32 ref: 000000013F2239BD
MoveFileW.KERNEL32 ref: 000000013F223A34
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F223AEB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F223AF1

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: FileMove_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3823481717-0
Opcode ID: bbac506f016d9360db9e17d2d1671c16b614b755f6a366ad0dc26eec498b4da2
Instruction ID: 1bfaa2e48b5ca85fa865c7ca9a0d7ca1ec6c276f801add04b39c4123fc791d5f
Opcode Fuzzy Hash: bbac506f016d9360db9e17d2d1671c16b614b755f6a366ad0dc26eec498b4da2
Instruction Fuzzy Hash: 2A419F72F10B50D4FB00CF75E8857DE2372BB44BA8F505239EE5A6AA99DF74C646C240

Function 000000013F250B78 Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,000000013F24C45B), ref: 000000013F250B91
WideCharToMultiByte.KERNEL32 ref: 000000013F250BF3
WideCharToMultiByte.KERNEL32 ref: 000000013F250C2D
FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,000000013F24C45B), ref: 000000013F250C57

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$Free
String ID:
API String ID: 1557788787-0
Opcode ID: 23704c5f87cc5d65a6a85ab0da0438508b9fc27f2b888927c3d6011bf25654c1
Instruction ID: ff9c3577a7dcd7d3c13075588edd48daa39bc41d9d935962bc316354fd41d6e5
Opcode Fuzzy Hash: 23704c5f87cc5d65a6a85ab0da0438508b9fc27f2b888927c3d6011bf25654c1
Instruction Fuzzy Hash: 8C219E31F15B95C1E624DF12A84939AF6A4FB98BD1F4842389E8F63BA4DF38C5538304

Function 000000013F24D440 Relevance: 6.0, APIs: 4, Instructions: 43COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,000000013F247F28,?,?,?,000000013F249D35), ref: 000000013F24D44A
SetLastError.KERNEL32(?,?,?,000000013F247F28,?,?,?,000000013F249D35), ref: 000000013F24D4B2
SetLastError.KERNEL32(?,?,?,000000013F247F28,?,?,?,000000013F249D35), ref: 000000013F24D4C8
abort.LIBCMT ref: 000000013F24D4CE

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: ErrorLast$abort
String ID:
API String ID: 1447195878-0
Opcode ID: a46f80a814de90fc6a6f27f4ba991d7ab4b28824e48526204554d6c2ee2a7ff7
Instruction ID: e15ba7c8401178cbbfea09a48feef3bf217ef34f051d1c9cf0775e8ebcb927bc
Opcode Fuzzy Hash: a46f80a814de90fc6a6f27f4ba991d7ab4b28824e48526204554d6c2ee2a7ff7
Instruction Fuzzy Hash: F701BC34F01644C3FA59A731A65A3FB11B15B84B90F86083CAD2B63BD6EDA8DA078610

Function 000000013F238590 Relevance: 6.0, APIs: 4, Instructions: 21COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 000000013F238598
GetDeviceCaps.GDI32 ref: 000000013F2385AE
GetDeviceCaps.GDI32 ref: 000000013F2385C2
ReleaseDC.USER32 ref: 000000013F2385D3

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: de15d0a72ac65e47349a1b4cc9ca260558533dfe27db70e7b1e031f833f09c6c
Instruction ID: 1c1d974ba5d8bd1d4a9f7f6a1e2a9eadd96c268e3ba7adcbbc46297a2a529c37
Opcode Fuzzy Hash: de15d0a72ac65e47349a1b4cc9ca260558533dfe27db70e7b1e031f833f09c6c
Instruction Fuzzy Hash: 97E09270E11F44C2FF186B7569593972191AB48741F18443E9C1B5A355DF3CD69EC720

Function 000000013F21E34C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 176COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F21E549

Strings

DXGIDebug.dll, xrefs: 000000013F21E35A

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: DXGIDebug.dll
API String ID: 3668304517-540382549
Opcode ID: 30735fc0874bb79453b7a58344767550bacd8fea16fe076cd684d77636adcf15
Instruction ID: 6327b21102e9737d463b5c10619e89ba5c372aac32e99e41b2920ca09c97f7f4
Opcode Fuzzy Hash: 30735fc0874bb79453b7a58344767550bacd8fea16fe076cd684d77636adcf15
Instruction Fuzzy Hash: 08719D72A10B80D6EB14CF25E8443DEB3A9FB54794F44422ADFA907B99DF78D262C344

Function 000000013F24E1F4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000000013F24E237

Strings

gfff, xrefs: 000000013F24E362
e+000, xrefs: 000000013F24E2DF

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: e+000$gfff
API String ID: 3215553584-3030954782
Opcode ID: ffbcb58cc87a1110f60409a8afde5d08377aab6ce8cf060c3284a5669936e3c2
Instruction ID: a7ebbfda9e1f9a222cf85a767647be565c9f2a13dfac0c7204fd788586d1f054
Opcode Fuzzy Hash: ffbcb58cc87a1110f60409a8afde5d08377aab6ce8cf060c3284a5669936e3c2
Instruction Fuzzy Hash: 94512672B14BC0C6F7258F35994139E6FA1E391B90F489239CBA897BD6CBACC546C700

Function 000000013F229408 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108COMMON

Download Yara Rule

APIs

Part of subcall function 000000013F2295A8: swprintf.LEGACY_STDIO_DEFINITIONS ref: 000000013F2295E6

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F22959C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013F2295A2

Strings

SIZE, xrefs: 000000013F229443

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$swprintf
String ID: SIZE
API String ID: 449872665-3243624926
Opcode ID: 6bf5c94b90f936377cecc09889f3643346e9af6ef61bc9371a2428e611e7cd9c
Instruction ID: 174cdcc6aa657a80d8fa7b599effb1a3b6be3c6bd305812c0b7acf486677e3ce
Opcode Fuzzy Hash: 6bf5c94b90f936377cecc09889f3643346e9af6ef61bc9371a2428e611e7cd9c
Instruction Fuzzy Hash: 5141D472B20B80D5EE60DF26E4413EF7360EB85794F504239AB9D466DAEB79C742C700

Function 000000013F239B40 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 104COMMON

Download Yara Rule

APIs

Part of subcall function 000000013F21255C: GetDlgItem.USER32 ref: 000000013F2125AC
Part of subcall function 000000013F21255C: SetWindowTextW.USER32 ref: 000000013F2125C8

EndDialog.USER32 ref: 000000013F239C24
SetDlgItemTextW.USER32 ref: 000000013F239CAA

Strings

ASKNEXTVOL, xrefs: 000000013F239B72

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: ASKNEXTVOL
API String ID: 445417207-3402441367
Opcode ID: 97ebd98f0834f70bd8f3ada112357d921bc9d5e9383391aa045354938bfaeae3
Instruction ID: 917df5de715c13092a02e8c1229aba3f3d6d27b09e3ab10781a29d686c1aac1e
Opcode Fuzzy Hash: 97ebd98f0834f70bd8f3ada112357d921bc9d5e9383391aa045354938bfaeae3
Instruction Fuzzy Hash: E7418272A05A80C1FA109B56E5543EB37B2E78ABC0F54003EDE49077AACF39C647C340

Function 000000013F229638 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON

Download Yara Rule

APIs

_snwprintf.LEGACY_STDIO_DEFINITIONS ref: 000000013F2296EA

Part of subcall function 000000013F230F68: WideCharToMultiByte.KERNEL32 ref: 000000013F230F99

Strings

$%s, xrefs: 000000013F2296D7
@%s, xrefs: 000000013F2296CE

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: ByteCharMultiWide_snwprintf
String ID: $%s$@%s
API String ID: 2650857296-834177443
Opcode ID: 68d6d98aec82f67e7f26d78b4367655257a27e60e60eb814561ac576190adeba
Instruction ID: e28514637bf9200e9ea158c8dfee4706da1eb812853153d5525f45dc1adfa3fa
Opcode Fuzzy Hash: 68d6d98aec82f67e7f26d78b4367655257a27e60e60eb814561ac576190adeba
Instruction Fuzzy Hash: 3F319AB6B10A84E6EA90CF66E4407EA73A0F744BC8F40503AEE4D17B95EE38C606D740

Function 000000013F24EB04 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32 ref: 000000013F24EB76
GetFileType.KERNEL32 ref: 000000013F24EB8C

Strings

@, xrefs: 000000013F24EBB7

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: FileHandleType
String ID: @
API String ID: 3000768030-2766056989
Opcode ID: 01c4e23626c5bd34e0d32a71787dfe5976e9b76bf070a7e2fa99837352baeece
Instruction ID: f44c5c5c793d4d06c74a9bd473d1938491d1078c9193b133f75df3763308a480
Opcode Fuzzy Hash: 01c4e23626c5bd34e0d32a71787dfe5976e9b76bf070a7e2fa99837352baeece
Instruction Fuzzy Hash: 2D219632A04F81C1FB648B2594A03AE6661F785774F28132DDAAB17FD4CB79CA83C341

Function 000000013F244078 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,000000013F241D3E), ref: 000000013F2440BC
RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,000000013F241D3E), ref: 000000013F244102

Strings

csm, xrefs: 000000013F2440EF

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 995ce70781ed1107fbe35a2df86b6ab92d82f2488d4e31342cdb9a65d606da21
Instruction ID: b993cfee2f7fd5d05a2f9c9e14a3a48a41d1181f5692e599316264573c81cdcd
Opcode Fuzzy Hash: 995ce70781ed1107fbe35a2df86b6ab92d82f2488d4e31342cdb9a65d606da21
Instruction Fuzzy Hash: 1C113632604B84C2EB648B15E54039AB7E1F788B94F184229EF8D07B68DF7DC666CB00

Function 000000013F22EA5C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,?,?,?,?,?,?,?,000000013F22E95F,?,?,?,000000013F22463A,?,?,?), ref: 000000013F22EA63
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,000000013F22E95F,?,?,?,000000013F22463A,?,?,?), ref: 000000013F22EA6E

Strings

WaitForMultipleObjects error %d, GetLastError %d, xrefs: 000000013F22EA78

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: ErrorLastObjectSingleWait
String ID: WaitForMultipleObjects error %d, GetLastError %d
API String ID: 1211598281-2248577382
Opcode ID: 98ce5a6e9b01a49333d4d7b683bb298ff4a8e953ba0927a3bf2f7aa8eb90df55
Instruction ID: bba037541e0a929c714b65e9e06e19334960a6799e12655dd11c25a0fcc5ee87
Opcode Fuzzy Hash: 98ce5a6e9b01a49333d4d7b683bb298ff4a8e953ba0927a3bf2f7aa8eb90df55
Instruction Fuzzy Hash: 2DE04F36E11840C1F650A7319C467DA32217764770F904338E43A811F19B68CB4FC300

Function 000000013F22A43C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 000000013F22A447
FindResourceW.KERNEL32 ref: 000000013F22A45D

Strings

RTL, xrefs: 000000013F22A453

Memory Dump Source

Source File: 00000000.00000002.358562107.000000013F211000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013F210000, based on PE: true

Associated: 00000000.00000002.358391568.000000013F210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358619663.000000013F258000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F26B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358683128.000000013F274000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358721252.000000013F27A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358730731.000000013F27E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358761993.000000013F27F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f210000_0442.jbxd

Similarity

API ID: FindHandleModuleResource
String ID: RTL
API String ID: 3537982541-834975271
Opcode ID: e39cf6139d6c3c808756c827088780cb49cd2dd94430b396554b51375d39015a
Instruction ID: 0a27ea3207752342eb1e4b936402aca5b0e6c27ed71352babdaffdb28275cd39
Opcode Fuzzy Hash: e39cf6139d6c3c808756c827088780cb49cd2dd94430b396554b51375d39015a
Instruction Fuzzy Hash: ACD05EB1F11604C2FF194B76A44D3E662505718F41F48802C8C0B06390EE6CC28ACB51

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 0442.pdf.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Config.Msi\6aadef.rbs

C:\Program Files (x86)\LiteManager Pro - Server\AledensoftIpcServer.dll

C:\Program Files (x86)\LiteManager Pro - Server\EULA.rtf

C:\Program Files (x86)\LiteManager Pro - Server\English.lg

C:\Program Files (x86)\LiteManager Pro - Server\HookDrv.dll

C:\Program Files (x86)\LiteManager Pro - Server\Lang\Taiwan.lg

C:\Program Files (x86)\LiteManager Pro - Server\Lang\Turkish.lg

C:\Program Files (x86)\LiteManager Pro - Server\Lang\Ukrainian.lg

C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe

C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe

C:\Program Files (x86)\LiteManager Pro - Server\ROMwln.dll

C:\Program Files (x86)\LiteManager Pro - Server\Russian.lg

C:\Program Files (x86)\LiteManager Pro - Server\files\ROMServer.exe

Windows Analysis Report
0442.pdf.exe

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.
Tactics:	Lateral Movement
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Flow, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre