Edit tour

Windows Analysis Report
0442.pdf.exe

Overview

General Information

Sample name:	0442.pdf.exe renamed because original name is a hash value
Original sample name:	.pdf.exe
Analysis ID:	1580689
MD5:	4f6b2b9ee57c50d6c505d0cdada4803e
SHA1:	ad7dee6f1f71c4fe6299170a160592f139390e12
SHA256:	62410e8399acf7834c74012783bde3fe9ff244e048141c4a96a65bec06895f37
Infos:

Detection

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Multi AV Scanner detection for submitted file

Sigma detected: Suspicious Double Extension File Execution

Enables network access during safeboot for specific services

Enables remote desktop connection

Initial sample is a PE file and has a suspicious name

Uses an obfuscated file name to hide its real file extension (double extension)

Uses ping.exe to check the status of other devices and networks

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Checks for available system drives (often done to infect USB drives)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to launch a program with higher privileges

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Creates files inside the system directory

Creates or modifies windows services

Deletes files inside the Windows folder

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

File is packed with WinRar

Found dropped PE file which has not been started or loaded

Launches processes in debugging mode, may be used to hinder debugging

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

PE file contains strange resources

Queries the installation date of Windows

Queries the product ID of Windows

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Shows file infection / information gathering behavior (enumerates multiple directory for files)

Stores files to the Windows start menu directory

Stores large binary data to the registry

Tries to disable installed Antivirus / HIPS / PFW

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w7x64

0442.pdf.exe (PID: 3412 cmdline: "C:\Users\user\Desktop\0442.pdf.exe" MD5: 4F6B2B9EE57C50D6C505D0CDADA4803E)

msiexec.exe (PID: 3524 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ms.msi" /qn MD5: AC2E7152124CEED36846BD1B6592A00F)

cmd.exe (PID: 3532 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\start.bat" " MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)

PING.EXE (PID: 3580 cmdline: ping 8.8.8.8 MD5: 5FB30FE90736C7FC77DE637021B1CE7C)

AcroRd32.exe (PID: 3552 cmdline: "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\user\AppData\Local\Temp\doc.pdf" MD5: 2F8D93826B8CBF9290BC57535C7A6817)

RdrCEF.exe (PID: 3984 cmdline: "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043 MD5: 326A645391A97C760B60C558A35BB068)

AcroRd32.exe (PID: 3596 cmdline: "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\user\AppData\Local\Temp\doc2.pdf" MD5: 2F8D93826B8CBF9290BC57535C7A6817)

msiexec.exe (PID: 3656 cmdline: C:\Windows\system32\msiexec.exe /V MD5: AC2E7152124CEED36846BD1B6592A00F)

ROMFUSClient.exe (PID: 3892 cmdline: "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /server /siex /silentinstall MD5: 63D0964168B927D00064AA684E79A300)

ROMServer.exe (PID: 3916 cmdline: "C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe" /siex /silentinstall MD5: F3D74B072B9697CF64B0B8445FDC8128)

ROMFUSClient.exe (PID: 1512 cmdline: "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /server /firewall MD5: 63D0964168B927D00064AA684E79A300)

ROMServer.exe (PID: 1724 cmdline: "C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe" /firewall MD5: F3D74B072B9697CF64B0B8445FDC8128)

ROMFUSClient.exe (PID: 3496 cmdline: "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /server /start MD5: 63D0964168B927D00064AA684E79A300)

ROMServer.exe (PID: 3516 cmdline: "C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe" /start MD5: F3D74B072B9697CF64B0B8445FDC8128)

ROMServer.exe (PID: 3580 cmdline: "C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe" MD5: F3D74B072B9697CF64B0B8445FDC8128)

ROMFUSClient.exe (PID: 3992 cmdline: "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" MD5: 63D0964168B927D00064AA684E79A300)

ROMFUSClient.exe (PID: 3968 cmdline: "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /tray MD5: 63D0964168B927D00064AA684E79A300)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author
C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
C:\Program Files (x86)\LiteManager Pro - Server\files\ROMViewer.exe	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000009.00000000.382903108.0000000000401000.00000020.00000001.01000000.00000007.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
0000000A.00000000.383524670.0000000000401000.00000020.00000001.01000000.00000008.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
9.0.ROMFUSClient.exe.400000.0.unpack	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
10.0.ROMServer.exe.400000.0.unpack	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Sigma Signatures

System Summary

Sigma detected: Suspicious Double Extension File Execution

Source: Process started

Author: Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Users\user\Desktop\0442.pdf.exe", CommandLine: "C:\Users\user\Desktop\0442.pdf.exe", CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\0442.pdf.exe, NewProcessName: C:\Users\user\Desktop\0442.pdf.exe, OriginalFileName: C:\Users\user\Desktop\0442.pdf.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1244, ProcessCommandLine: "C:\Users\user\Desktop\0442.pdf.exe", ProcessId: 3412, ProcessName: 0442.pdf.exe

Sigma detected: Modification of IE Registry Settings

Source: Registry Key set

Author: frack113: Data: Details: 46 00 00 00 2A 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe, ProcessId: 3552, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: 0442.pdf.exe	ReversingLabs: Detection: 26%
Source: 0442.pdf.exe	Virustotal: Detection: 47%			Perma Link

Source: C:\Windows\System32\msiexec.exe

File created: C:\Program Files (x86)\LiteManager Pro - Server\EULA.rtf

Jump to behavior

Source: 0442.pdf.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:

Binary string: D:\Projects\WinRAR\sfx\build\sfxrar64\Release\sfxrar.pdb source: 0442.pdf.exe

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	File opened: c:
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

Directory queried: number of queries: 1224

Source: C:\Users\user\Desktop\0442.pdf.exe	Code function: 0_2_000000013FF7B190 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,SendMessageW,SendMessageW,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,Sleep,UnmapViewOfFile,CloseHandle,ShowWindow,ShowWindow,SetDlgItemTextW,ShowWindow,SetDlgItemTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,SendMessageW,SendDlgItemMessageW,GetDlgItem,SendMessageW,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,SendMessageW,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	0_2_000000013FF7B190
Source: C:\Users\user\Desktop\0442.pdf.exe	Code function: 0_2_000000013FF640BC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	0_2_000000013FF640BC
Source: C:\Users\user\Desktop\0442.pdf.exe	Code function: 0_2_000000013FF8FCA0 FindFirstFileExA,	0_2_000000013FF8FCA0

Networking

Enables network access during safeboot for specific services

Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe

Registry value created: NULL Service

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\PING.EXE ping 8.8.8.8

Source: global traffic

TCP traffic: 192.168.2.22:49163 -> 101.99.91.150:5651

Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.91.150
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.91.150
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.91.150
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.91.150
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.91.150
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.91.150
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.91.150
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.91.150
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.91.150
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.91.150
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.91.150
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.91.150
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.91.150
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.91.150
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.91.150
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.91.150
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.91.150
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.91.150
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.91.150
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.91.150
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.91.150
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.91.150
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.91.150
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.91.150
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.91.150
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.91.150
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.91.150
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.91.150
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.91.150
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.91.150
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.91.150
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.91.150
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.91.150
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.91.150
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.91.150
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.91.150
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.91.150
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.91.150
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.91.150
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.91.150
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.91.150
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.91.150
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.91.150
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.91.150
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.91.150
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.91.150
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.91.150
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.91.150
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.91.150
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.91.150

Source: ROMServer.exe, 0000000A.00000002.386473610.0000000000D40000.00000004.00000020.00020000.00000000.sdmp, AledensoftIpcServer.dll.8.dr, ROMwln.dll.8.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: ROMFUSClient.exe.8.dr	String found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z
Source: ROMFUSClient.exe.8.dr	String found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0
Source: ROMFUSClient.exe.8.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: 0442.pdf.exe, 00000000.00000003.366872053.0000000002EB8000.00000004.00000020.00020000.00000000.sdmp, 0442.pdf.exe, 00000000.00000003.366872053.0000000002EF6000.00000004.00000020.00020000.00000000.sdmp, ms.msi.0.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: ROMFUSClient.exe.8.dr	String found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#
Source: ROMFUSClient.exe.8.dr	String found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#
Source: ROMFUSClient.exe.8.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: ROMFUSClient.exe, 00000009.00000000.383021040.00000000008E4000.00000002.00000001.01000000.00000007.sdmp, ROMServer.exe, 0000000A.00000000.384080641.00000000009FE000.00000002.00000001.01000000.00000008.sdmp, ROMServer.exe, 00000011.00000002.765338203.000000000150C000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe, 00000014.00000002.765257050.000000000253C000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe, 00000014.00000002.765257050.000000000243D000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe.8.dr, Taiwan.lg.8.dr	String found in binary or memory: http://litemanager.com/
Source: ROMServer.exe, 00000011.00000002.765338203.0000000001513000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://litemanager.com/03Q
Source: ROMFUSClient.exe, 00000014.00000002.765257050.0000000002543000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://litemanager.com/03T
Source: ROMServer.exe, 00000011.00000002.765338203.000000000150C000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe, 00000014.00000002.765257050.000000000253C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://litemanager.com/1
Source: ROMFUSClient.exe, 00000009.00000000.383021040.00000000008E4000.00000002.00000001.01000000.00000007.sdmp, ROMServer.exe, 0000000A.00000000.384080641.00000000009FE000.00000002.00000001.01000000.00000008.sdmp, ROMFUSClient.exe.8.dr	String found in binary or memory: http://litemanager.ru/
Source: ROMServer.exe, 0000000A.00000000.383524670.0000000000401000.00000020.00000001.01000000.00000008.sdmp, ROMServer.exe0.8.dr	String found in binary or memory: http://litemanager.ru/noip.txtU
Source: ROMServer.exe, 0000000A.00000002.386473610.0000000000D40000.00000004.00000020.00020000.00000000.sdmp, AledensoftIpcServer.dll.8.dr, ROMwln.dll.8.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: ROMFUSClient.exe.8.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: 0442.pdf.exe, 00000000.00000003.366872053.0000000002EB8000.00000004.00000020.00020000.00000000.sdmp, 0442.pdf.exe, 00000000.00000003.366872053.0000000002EF6000.00000004.00000020.00020000.00000000.sdmp, ms.msi.0.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: 0442.pdf.exe, 00000000.00000003.366872053.0000000002EB8000.00000004.00000020.00020000.00000000.sdmp, 0442.pdf.exe, 00000000.00000003.366872053.0000000002EF6000.00000004.00000020.00020000.00000000.sdmp, ms.msi.0.dr	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: 0442.pdf.exe, 00000000.00000003.366872053.0000000002EB8000.00000004.00000020.00020000.00000000.sdmp, 0442.pdf.exe, 00000000.00000003.366872053.0000000002EF6000.00000004.00000020.00020000.00000000.sdmp, ms.msi.0.dr	String found in binary or memory: http://s2.symcb.com0
Source: 0442.pdf.exe, 00000000.00000003.366872053.0000000002EB8000.00000004.00000020.00020000.00000000.sdmp, 0442.pdf.exe, 00000000.00000003.366872053.0000000002EF6000.00000004.00000020.00020000.00000000.sdmp, ms.msi.0.dr	String found in binary or memory: http://sv.symcb.com/sv.crl0f
Source: 0442.pdf.exe, 00000000.00000003.366872053.0000000002EB8000.00000004.00000020.00020000.00000000.sdmp, 0442.pdf.exe, 00000000.00000003.366872053.0000000002EF6000.00000004.00000020.00020000.00000000.sdmp, ms.msi.0.dr	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: 0442.pdf.exe, 00000000.00000003.366872053.0000000002EB8000.00000004.00000020.00020000.00000000.sdmp, 0442.pdf.exe, 00000000.00000003.366872053.0000000002EF6000.00000004.00000020.00020000.00000000.sdmp, ms.msi.0.dr	String found in binary or memory: http://sv.symcd.com0&
Source: 0442.pdf.exe, 00000000.00000003.366872053.0000000002EB8000.00000004.00000020.00020000.00000000.sdmp, 0442.pdf.exe, 00000000.00000003.366872053.0000000002EF6000.00000004.00000020.00020000.00000000.sdmp, ms.msi.0.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: 0442.pdf.exe, 00000000.00000003.366872053.0000000002EB8000.00000004.00000020.00020000.00000000.sdmp, 0442.pdf.exe, 00000000.00000003.366872053.0000000002EF6000.00000004.00000020.00020000.00000000.sdmp, ms.msi.0.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: 0442.pdf.exe, 00000000.00000003.366872053.0000000002EB8000.00000004.00000020.00020000.00000000.sdmp, 0442.pdf.exe, 00000000.00000003.366872053.0000000002EF6000.00000004.00000020.00020000.00000000.sdmp, ms.msi.0.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: ROMFUSClient.exe, 00000009.00000000.382903108.0000000000401000.00000020.00000001.01000000.00000007.sdmp, ROMFUSClient.exe, 00000009.00000003.386948729.000000000259F000.00000004.00001000.00020000.00000000.sdmp, ROMServer.exe, 0000000A.00000003.386085562.00000000028AF000.00000004.00001000.00020000.00000000.sdmp, ROMServer.exe, 0000000A.00000000.383524670.0000000000951000.00000020.00000001.01000000.00000008.sdmp, ROMFUSClient.exe, 0000000D.00000003.394358890.00000000026CF000.00000004.00001000.00020000.00000000.sdmp, ROMServer.exe, 0000000E.00000003.392280910.00000000026AF000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe, 0000000F.00000003.411410672.000000000265F000.00000004.00001000.00020000.00000000.sdmp, ROMServer.exe, 00000010.00000003.410549584.000000000279F000.00000004.00001000.00020000.00000000.sdmp, ROMServer.exe, 00000011.00000002.765338203.000000000147F000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe, 00000013.00000002.765264811.00000000024CF000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe, 00000014.00000002.765257050.00000000024AF000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe.8.dr, ROMServer.exe0.8.dr	String found in binary or memory: http://www.indyproject.org/
Source: 0442.pdf.exe, 00000000.00000003.366872053.0000000002EB8000.00000004.00000020.00020000.00000000.sdmp, 0442.pdf.exe, 00000000.00000003.366872053.0000000002EF6000.00000004.00000020.00020000.00000000.sdmp, ms.msi.0.dr	String found in binary or memory: http://www.symauth.com/cps0(
Source: 0442.pdf.exe, 00000000.00000003.366872053.0000000002EB8000.00000004.00000020.00020000.00000000.sdmp, 0442.pdf.exe, 00000000.00000003.366872053.0000000002EF6000.00000004.00000020.00020000.00000000.sdmp, ms.msi.0.dr	String found in binary or memory: http://www.symauth.com/rpa00
Source: 0442.pdf.exe, 00000000.00000003.366872053.0000000002EB8000.00000004.00000020.00020000.00000000.sdmp, 0442.pdf.exe, 00000000.00000003.366872053.0000000002EF6000.00000004.00000020.00020000.00000000.sdmp, ms.msi.0.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: 0442.pdf.exe, 00000000.00000003.366872053.0000000002EB8000.00000004.00000020.00020000.00000000.sdmp, 0442.pdf.exe, 00000000.00000003.366872053.0000000002EF6000.00000004.00000020.00020000.00000000.sdmp, ms.msi.0.dr	String found in binary or memory: https://d.symcb.com/rpa0
Source: ROMFUSClient.exe, 00000009.00000000.382903108.0000000000401000.00000020.00000001.01000000.00000007.sdmp, ROMServer.exe, 0000000A.00000000.383524670.0000000000401000.00000020.00000001.01000000.00000008.sdmp, ROMFUSClient.exe.8.dr, ROMServer.exe0.8.dr	String found in binary or memory: https://litemanager.com/romversion.txt
Source: ROMFUSClient.exe, 00000009.00000000.382903108.0000000000401000.00000020.00000001.01000000.00000007.sdmp, ROMServer.exe, 0000000A.00000000.383524670.0000000000401000.00000020.00000001.01000000.00000008.sdmp, ROMFUSClient.exe.8.dr, ROMServer.exe0.8.dr	String found in binary or memory: https://litemanager.com/soft/pro/ROMServer.zip
Source: ROMFUSClient.exe.8.dr	String found in binary or memory: https://sectigo.com/CPS0

Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe

Window created: window name: CLIPBRDWNDCLASS

System Summary

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: 0442.pdf.exe

Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Memory allocated: 770B0000 page execute and read and write
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Memory allocated: 770B0000 page execute and read and write
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Memory allocated: 770B0000 page execute and read and write
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Memory allocated: 770B0000 page execute and read and write
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Memory allocated: 770B0000 page execute and read and write
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Memory allocated: 770B0000 page execute and read and write

Source: C:\Users\user\Desktop\0442.pdf.exe

Code function: 0_2_000000013FF5C2F0: CreateFileW,CloseHandle,wcscpy,wcscpy,wcscpy,wcscpy,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,

0_2_000000013FF5C2F0

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\49c0c0.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{71FFA475-24D5-44FB-A51F-39B699E3D82C}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\49c0c2.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\49c0c2.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC938.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\ARPPRODUCTICON.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\ROMServer.exe_9D09B2BC25A2414CBD848E2B75898676.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\UNINST_Uninstall_L_78AA5B6662514D94A847D6C603AF0895.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\stop_server_51B516B87C64408FA3C56354EA2277C2.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\config_server_B6BD2967C67B44649764F06ADFFD6458.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\49c0c4.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\49c0c4.msi	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	File created: C:\Windows\SysWOW64\ROMwln.dll	Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\49c0c2.ipi

Jump to behavior

Source: C:\Users\user\Desktop\0442.pdf.exe	Code function: 0_2_000000013FF71F20	0_2_000000013FF71F20
Source: C:\Users\user\Desktop\0442.pdf.exe	Code function: 0_2_000000013FF7CE88	0_2_000000013FF7CE88
Source: C:\Users\user\Desktop\0442.pdf.exe	Code function: 0_2_000000013FF55E24	0_2_000000013FF55E24
Source: C:\Users\user\Desktop\0442.pdf.exe	Code function: 0_2_000000013FF64928	0_2_000000013FF64928
Source: C:\Users\user\Desktop\0442.pdf.exe	Code function: 0_2_000000013FF5F930	0_2_000000013FF5F930
Source: C:\Users\user\Desktop\0442.pdf.exe	Code function: 0_2_000000013FF80754	0_2_000000013FF80754
Source: C:\Users\user\Desktop\0442.pdf.exe	Code function: 0_2_000000013FF6A4AC	0_2_000000013FF6A4AC
Source: C:\Users\user\Desktop\0442.pdf.exe	Code function: 0_2_000000013FF73484	0_2_000000013FF73484
Source: C:\Users\user\Desktop\0442.pdf.exe	Code function: 0_2_000000013FF7B190	0_2_000000013FF7B190
Source: C:\Users\user\Desktop\0442.pdf.exe	Code function: 0_2_000000013FF6AF18	0_2_000000013FF6AF18
Source: C:\Users\user\Desktop\0442.pdf.exe	Code function: 0_2_000000013FF78DF4	0_2_000000013FF78DF4
Source: C:\Users\user\Desktop\0442.pdf.exe	Code function: 0_2_000000013FF80754	0_2_000000013FF80754
Source: C:\Users\user\Desktop\0442.pdf.exe	Code function: 0_2_000000013FF72D58	0_2_000000013FF72D58
Source: C:\Users\user\Desktop\0442.pdf.exe	Code function: 0_2_000000013FF88C1C	0_2_000000013FF88C1C
Source: C:\Users\user\Desktop\0442.pdf.exe	Code function: 0_2_000000013FF74B98	0_2_000000013FF74B98
Source: C:\Users\user\Desktop\0442.pdf.exe	Code function: 0_2_000000013FF6BB90	0_2_000000013FF6BB90
Source: C:\Users\user\Desktop\0442.pdf.exe	Code function: 0_2_000000013FF65B60	0_2_000000013FF65B60
Source: C:\Users\user\Desktop\0442.pdf.exe	Code function: 0_2_000000013FF95AF8	0_2_000000013FF95AF8
Source: C:\Users\user\Desktop\0442.pdf.exe	Code function: 0_2_000000013FF51AA4	0_2_000000013FF51AA4
Source: C:\Users\user\Desktop\0442.pdf.exe	Code function: 0_2_000000013FF72AB0	0_2_000000013FF72AB0
Source: C:\Users\user\Desktop\0442.pdf.exe	Code function: 0_2_000000013FF8FA94	0_2_000000013FF8FA94
Source: C:\Users\user\Desktop\0442.pdf.exe	Code function: 0_2_000000013FF61A48	0_2_000000013FF61A48
Source: C:\Users\user\Desktop\0442.pdf.exe	Code function: 0_2_000000013FF889A0	0_2_000000013FF889A0
Source: C:\Users\user\Desktop\0442.pdf.exe	Code function: 0_2_000000013FF73964	0_2_000000013FF73964
Source: C:\Users\user\Desktop\0442.pdf.exe	Code function: 0_2_000000013FF6C96C	0_2_000000013FF6C96C
Source: C:\Users\user\Desktop\0442.pdf.exe	Code function: 0_2_000000013FF54840	0_2_000000013FF54840
Source: C:\Users\user\Desktop\0442.pdf.exe	Code function: 0_2_000000013FF8C838	0_2_000000013FF8C838
Source: C:\Users\user\Desktop\0442.pdf.exe	Code function: 0_2_000000013FF576C0	0_2_000000013FF576C0
Source: C:\Users\user\Desktop\0442.pdf.exe	Code function: 0_2_000000013FF92550	0_2_000000013FF92550
Source: C:\Users\user\Desktop\0442.pdf.exe	Code function: 0_2_000000013FF6B534	0_2_000000013FF6B534
Source: C:\Users\user\Desktop\0442.pdf.exe	Code function: 0_2_000000013FF753F0	0_2_000000013FF753F0
Source: C:\Users\user\Desktop\0442.pdf.exe	Code function: 0_2_000000013FF5A310	0_2_000000013FF5A310
Source: C:\Users\user\Desktop\0442.pdf.exe	Code function: 0_2_000000013FF5C2F0	0_2_000000013FF5C2F0
Source: C:\Users\user\Desktop\0442.pdf.exe	Code function: 0_2_000000013FF57288	0_2_000000013FF57288
Source: C:\Users\user\Desktop\0442.pdf.exe	Code function: 0_2_000000013FF6126C	0_2_000000013FF6126C
Source: C:\Users\user\Desktop\0442.pdf.exe	Code function: 0_2_000000013FF721D0	0_2_000000013FF721D0
Source: C:\Users\user\Desktop\0442.pdf.exe	Code function: 0_2_000000013FF6F180	0_2_000000013FF6F180
Source: C:\Users\user\Desktop\0442.pdf.exe	Code function: 0_2_000000013FF92080	0_2_000000013FF92080

Source: ROMViewer.exe.8.dr	Static PE information: Resource name: RT_VERSION type: Intel ia64 COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: ROMServer.exe.8.dr	Static PE information: Resource name: RT_VERSION type: Intel ia64 COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: ROMServer.exe0.8.dr	Static PE information: Resource name: RT_VERSION type: Intel ia64 COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970

Source: ROMFUSClient.exe.8.dr	Static PE information: Number of sections : 11 > 10
Source: ROMServer.exe.8.dr	Static PE information: Number of sections : 11 > 10
Source: ROMServer.exe0.8.dr	Static PE information: Number of sections : 11 > 10
Source: ROMViewer.exe.8.dr	Static PE information: Number of sections : 11 > 10

Source: ROMViewer.exe.8.dr

Static PE information: Resource name: RT_RCDATA type: Delphi compiled form 'TfmEditBinaryValue'

Source: 0442.pdf.exe, 00000000.00000003.366872053.0000000002EB8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameISRegSvr.dll vs 0442.pdf.exe
Source: 0442.pdf.exe, 00000000.00000003.366872053.0000000002F1C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_IsIcoRes.exe< vs 0442.pdf.exe
Source: 0442.pdf.exe, 00000000.00000003.369907280.0000000000136000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAcroRd32.exe< vs 0442.pdf.exe
Source: 0442.pdf.exe, 00000000.00000003.366872053.0000000002E7C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_IsIcoRes.exe< vs 0442.pdf.exe
Source: 0442.pdf.exe, 00000000.00000003.366872053.0000000002E7C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSetAllUsers.dll< vs 0442.pdf.exe
Source: 0442.pdf.exe, 00000000.00000003.366872053.0000000002F02000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_IsIcoRes.exe< vs 0442.pdf.exe
Source: 0442.pdf.exe, 00000000.00000003.366872053.0000000002F10000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_IsIcoRes.exe< vs 0442.pdf.exe

Source: classification engine

Classification label: mal84.troj.evad.winEXE@41/43@0/2

Source: C:\Users\user\Desktop\0442.pdf.exe

Code function: 0_2_000000013FF5B6D8 GetLastError,FormatMessageW,LocalFree,

0_2_000000013FF5B6D8

Source: C:\Users\user\Desktop\0442.pdf.exe

Code function: 0_2_000000013FF78624 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipAlloc,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,

0_2_000000013FF78624

Source: C:\Windows\System32\msiexec.exe

File created: C:\Program Files (x86)\LiteManager Pro - Server

Jump to behavior

Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

File created: C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ConnectorIcons

Jump to behavior

Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\ROMFUSLocal
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\ROMFUSTray

Source: C:\Users\user\Desktop\0442.pdf.exe

File created: C:\Users\user\AppData\Local\Temp\__tmp_rar_sfx_access_check_4830929

Jump to behavior

Source: Yara match	File source: 9.0.ROMFUSClient.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.ROMServer.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000000.382903108.0000000000401000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.383524670.0000000000401000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\LiteManager Pro - Server\files\ROMViewer.exe, type: DROPPED

Source: C:\Users\user\Desktop\0442.pdf.exe

Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\start.bat" "

Source: C:\Windows\System32\cmd.exe	Console Write: ................(...............o.f..............<........................V(.V.. ........`.J....p@".............................................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................(...............................0\|......................?.V(.V....................".............H...............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................8...............C.:.\.U.s.e.r.s.\.A.l.b.u.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.>.............x.......D..................J....	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................8...............p.i.n.g........./.......................0........$.J............/...............X...............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................8............... .8...8...8...8. .........................V(.V..p.i.n.g.........p@".............(...............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................8............................... .........................V(.V..p.i.n.g.........p@".............(...............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................$.......................................................?.V(.V....................".............H...............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................$...............C.:.\.U.s.e.r.s.\.A.l.b.u.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.>.............x.......D..................J....	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................$...............c.l.s.........../.......................0........$.J............/...............X...............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................$.........................................................V(.V..c.l.s...........p@".............(...............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................d.......................................................?.V(.V....................".............H...............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................d...............C.:.\.U.s.e.r.s.\.A.l.b.u.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.>.............x.......D..................J....	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................d...............d.e.l.........../.......................0........$.J............/...............X...............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................d.........................................................V(.V..d.e.l...........p@".............................................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................d.........................................................V(.V..d.e.l...........p@".............(...............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ...................J....................................@c.J..... ......p.................Ow............................X.......................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................d.......................................................?.V(.V....................".............H...............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................d...............c.l.s.........../.......................0........$.J............/...............X...............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................d.........................................................V(.V..c.l.s...........p@".............(...............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................d.......................................................?.V(.V....................".............H...............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................d...............e.x.i.t..........&.J....................0........[1.............X%.J............X...............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................d.........................................................V(.V..e.x.i.t.........p@".............(...............................	Jump to behavior

Source: 0442.pdf.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Key opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Key opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Key opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Key opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Users\user\Desktop\0442.pdf.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\0442.pdf.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 0442.pdf.exe	ReversingLabs: Detection: 26%
Source: 0442.pdf.exe	Virustotal: Detection: 47%

Source: C:\Users\user\Desktop\0442.pdf.exe

File read: C:\Users\user\Desktop\0442.pdf.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\0442.pdf.exe "C:\Users\user\Desktop\0442.pdf.exe"
Source: C:\Users\user\Desktop\0442.pdf.exe	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ms.msi" /qn
Source: C:\Users\user\Desktop\0442.pdf.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\start.bat" "
Source: C:\Users\user\Desktop\0442.pdf.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\user\AppData\Local\Temp\doc.pdf"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping 8.8.8.8
Source: C:\Users\user\Desktop\0442.pdf.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\user\AppData\Local\Temp\doc2.pdf"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /server /siex /silentinstall
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process created: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe" /siex /silentinstall
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /server /firewall
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process created: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe" /firewall
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /server /start
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process created: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe" /start
Source: unknown	Process created: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe"
Source: C:\Windows\System32\PING.EXE	Process created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe"
Source: C:\Windows\System32\PING.EXE	Process created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /tray
Source: C:\Users\user\Desktop\0442.pdf.exe	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ms.msi" /qn	Jump to behavior
Source: C:\Users\user\Desktop\0442.pdf.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\start.bat" "	Jump to behavior
Source: C:\Users\user\Desktop\0442.pdf.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\user\AppData\Local\Temp\doc.pdf"	Jump to behavior
Source: C:\Users\user\Desktop\0442.pdf.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\user\AppData\Local\Temp\doc2.pdf"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping 8.8.8.8	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /server /siex /silentinstall	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /server /firewall	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /server /start	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process created: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe" /siex /silentinstall	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process created: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe" /firewall	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process created: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe" /start
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Process created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe"
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Process created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /tray

Source: C:\Users\user\Desktop\0442.pdf.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\0442.pdf.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\0442.pdf.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\0442.pdf.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0442.pdf.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\0442.pdf.exe	Section loaded: devrtl.dll	Jump to behavior
Source: C:\Users\user\Desktop\0442.pdf.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\0442.pdf.exe	Section loaded: ext-ms-win-kernel32-package-current-l1-1-0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: winbrand.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: devrtl.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: dsound.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: security.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: idndl.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: devrtl.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: avifil32.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: dsound.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: security.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: dsound.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: security.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: idndl.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: devrtl.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: wow64win.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: wow64cpu.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: winmm.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: avicap32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msvfw32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: netapi32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: srvcli.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: wkscli.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: avifil32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msacm32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: wsock32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: dsound.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: powrprof.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: dwmapi.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: wtsapi32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: winsta.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: security.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: wow64win.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: wow64cpu.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: winmm.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: avicap32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: msvfw32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: netapi32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: srvcli.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: wkscli.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: msacm32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: dsound.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: powrprof.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: dwmapi.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: wtsapi32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: winsta.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: security.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: idndl.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: winnsi.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: propsys.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: sfc_os.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: devrtl.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: mpr.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: wow64win.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: wow64cpu.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: winmm.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: avicap32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msvfw32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: netapi32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: srvcli.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: wkscli.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: avifil32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msacm32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: wsock32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: dsound.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: powrprof.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: dwmapi.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: wtsapi32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: winsta.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: security.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: wow64win.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: wow64cpu.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: winmm.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: avicap32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msvfw32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: netapi32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: srvcli.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: wkscli.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: avifil32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msacm32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: wsock32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: dsound.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: powrprof.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: wtsapi32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: winsta.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: security.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: idndl.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: winnsi.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: bcrypt.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msrle32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msvidc32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msyuv.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msyuv.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msyuv.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: iyuv_32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: iyuv_32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: tsbyuv.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: iccvid.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msrle32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msvidc32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msyuv.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msyuv.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msyuv.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: iyuv_32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: iyuv_32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: tsbyuv.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: iccvid.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msrle32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msvidc32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msyuv.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msyuv.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msyuv.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: iyuv_32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: iyuv_32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: tsbyuv.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: iccvid.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msrle32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msvidc32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msyuv.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msyuv.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msyuv.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: iyuv_32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: iyuv_32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: tsbyuv.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: iccvid.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msrle32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msvidc32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msyuv.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msyuv.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msyuv.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: iyuv_32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: iyuv_32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: tsbyuv.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: iccvid.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msrle32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msvidc32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msyuv.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msyuv.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msyuv.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: iyuv_32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: iyuv_32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: tsbyuv.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: iccvid.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msrle32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msvidc32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msyuv.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msyuv.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msyuv.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: iyuv_32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: iyuv_32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: tsbyuv.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: iccvid.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: shcore.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: wow64win.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: wow64cpu.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: winmm.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: avicap32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: msvfw32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: netapi32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: srvcli.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: wkscli.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: msacm32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: dsound.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: powrprof.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: dwmapi.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: wtsapi32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: winsta.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: security.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: idndl.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: winnsi.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: shcore.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: wow64win.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: wow64cpu.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: winmm.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: avicap32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: msvfw32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: netapi32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: srvcli.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: wkscli.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: msacm32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: dsound.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: powrprof.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: dwmapi.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: wtsapi32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: winsta.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: security.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: idndl.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: winnsi.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: dhcpcsvc.dll

Source: C:\Users\user\Desktop\0442.pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: Start LM-Server.lnk.8.dr	LNK file: ..\..\..\..\..\..\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe
Source: Uninstall LiteManager - Server.lnk.8.dr	LNK file: ..\..\..\..\..\..\Windows\SysWOW64\msiexec.exe
Source: Stop LM-Server.lnk.8.dr	LNK file: ..\..\..\..\..\..\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe
Source: Settings for LM-Server.lnk.8.dr	LNK file: ..\..\..\..\..\..\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: 0442.pdf.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: 0442.pdf.exe

Static file information: File size 11409543 > 1048576

Source: 0442.pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 0442.pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 0442.pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 0442.pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 0442.pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 0442.pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 0442.pdf.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: 0442.pdf.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: D:\Projects\WinRAR\sfx\build\sfxrar64\Release\sfxrar.pdb source: 0442.pdf.exe

Source: 0442.pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 0442.pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 0442.pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 0442.pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 0442.pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\0442.pdf.exe

File created: C:\Users\user\AppData\Local\Temp\__tmp_rar_sfx_access_check_4830929

Jump to behavior

Source: 0442.pdf.exe	Static PE information: section name: .didat
Source: 0442.pdf.exe	Static PE information: section name: _RDATA
Source: ROMViewer.exe.8.dr	Static PE information: section name: .didata
Source: ROMFUSClient.exe.8.dr	Static PE information: section name: .didata
Source: ROMwln.dll.8.dr	Static PE information: section name: .didata
Source: ROMServer.exe.8.dr	Static PE information: section name: .didata
Source: HookDrv.dll.8.dr	Static PE information: section name: .didata
Source: ROMServer.exe0.8.dr	Static PE information: section name: .didata
Source: ROMwln.dll.10.dr	Static PE information: section name: .didata

Source: C:\Users\user\Desktop\0442.pdf.exe	Code function: 0_2_000000013FF95166 push rsi; retf		0_2_000000013FF95167
Source: C:\Users\user\Desktop\0442.pdf.exe	Code function: 0_2_000000013FF95156 push rsi; retf		0_2_000000013FF95157

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\config_server_B6BD2967C67B44649764F06ADFFD6458.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\stop_server_51B516B87C64408FA3C56354EA2277C2.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Jump to dropped file
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	File created: C:\Windows\SysWOW64\ROMwln.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\LiteManager Pro - Server\files\ROMServer.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\ARPPRODUCTICON.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\LiteManager Pro - Server\HookDrv.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\UNINST_Uninstall_L_78AA5B6662514D94A847D6C603AF0895.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\LiteManager Pro - Server\ROMwln.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\LiteManager Pro - Server\AledensoftIpcServer.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\LiteManager Pro - Server\files\ROMViewer.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\ROMServer.exe_9D09B2BC25A2414CBD848E2B75898676.exe	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\config_server_B6BD2967C67B44649764F06ADFFD6458.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\stop_server_51B516B87C64408FA3C56354EA2277C2.exe	Jump to dropped file
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	File created: C:\Windows\SysWOW64\ROMwln.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\ARPPRODUCTICON.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\UNINST_Uninstall_L_78AA5B6662514D94A847D6C603AF0895.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\ROMServer.exe_9D09B2BC25A2414CBD848E2B75898676.exe	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe

File created: C:\Program Files (x86)\LiteManager Pro - Server\EULA.rtf

Jump to behavior

Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\eventlog\Application\romserver.exe

Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LiteManager Pro - Server	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LiteManager Pro - Server\Start LM-Server.lnk	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LiteManager Pro - Server\Uninstall LiteManager - Server.lnk	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LiteManager Pro - Server\Stop LM-Server.lnk	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LiteManager Pro - Server\Settings for LM-Server.lnk	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Source: initial sample

Icon embedded in binary file: icon matches a legit application icon: download (132).png

Uses an obfuscated file name to hide its real file extension (double extension)

Source: Possible double extension: pdf.exe

Static PE information: 0442.pdf.exe

Source: C:\Windows\System32\msiexec.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SYSTEM\LiteManager\v3.4\Server\Parameters NoIPSettings

Jump to behavior

Source: C:\Users\user\Desktop\0442.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0442.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0442.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0442.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0442.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0442.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0442.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0442.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0442.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0442.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0442.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0442.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\config_server_B6BD2967C67B44649764F06ADFFD6458.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\stop_server_51B516B87C64408FA3C56354EA2277C2.exe	Jump to dropped file
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\ROMwln.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LiteManager Pro - Server\files\ROMServer.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\ARPPRODUCTICON.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LiteManager Pro - Server\HookDrv.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\UNINST_Uninstall_L_78AA5B6662514D94A847D6C603AF0895.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LiteManager Pro - Server\ROMwln.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LiteManager Pro - Server\AledensoftIpcServer.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LiteManager Pro - Server\files\ROMViewer.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\ROMServer.exe_9D09B2BC25A2414CBD848E2B75898676.exe	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe TID: 3632	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\msiexec.exe TID: 3780	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\msiexec.exe TID: 3780	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe TID: 3484	Thread sleep count: 46 > 30
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe TID: 2104	Thread sleep time: -156000s >= -30000s

Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe

Last function: Thread delayed

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\Desktop\0442.pdf.exe	Code function: 0_2_000000013FF7B190 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,SendMessageW,SendMessageW,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,Sleep,UnmapViewOfFile,CloseHandle,ShowWindow,ShowWindow,SetDlgItemTextW,ShowWindow,SetDlgItemTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,SendMessageW,SendDlgItemMessageW,GetDlgItem,SendMessageW,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,SendMessageW,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	0_2_000000013FF7B190
Source: C:\Users\user\Desktop\0442.pdf.exe	Code function: 0_2_000000013FF640BC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	0_2_000000013FF640BC
Source: C:\Users\user\Desktop\0442.pdf.exe	Code function: 0_2_000000013FF8FCA0 FindFirstFileExA,	0_2_000000013FF8FCA0

Source: C:\Users\user\Desktop\0442.pdf.exe

Code function: 0_2_000000013FF816A4 VirtualQuery,GetSystemInfo,

0_2_000000013FF816A4

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\0442.pdf.exe

Code function: 0_2_000000013FF876D8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_000000013FF876D8

Source: C:\Users\user\Desktop\0442.pdf.exe

Code function: 0_2_000000013FF90D20 GetProcessHeap,

0_2_000000013FF90D20

Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Process token adjusted: Debug

Source: C:\Windows\System32\msiexec.exe

Process created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /server /start

Jump to behavior

Source: C:\Users\user\Desktop\0442.pdf.exe	Code function: 0_2_000000013FF82D50 SetUnhandledExceptionFilter,_invalid_parameter_noinfo,	0_2_000000013FF82D50
Source: C:\Users\user\Desktop\0442.pdf.exe	Code function: 0_2_000000013FF876D8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_000000013FF876D8
Source: C:\Users\user\Desktop\0442.pdf.exe	Code function: 0_2_000000013FF82510 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_000000013FF82510
Source: C:\Users\user\Desktop\0442.pdf.exe	Code function: 0_2_000000013FF83354 SetUnhandledExceptionFilter,	0_2_000000013FF83354
Source: C:\Users\user\Desktop\0442.pdf.exe	Code function: 0_2_000000013FF83170 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_000000013FF83170

Source: C:\Users\user\Desktop\0442.pdf.exe

Code function: 0_2_000000013FF7B190 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,SendMessageW,SendMessageW,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,Sleep,UnmapViewOfFile,CloseHandle,ShowWindow,ShowWindow,SetDlgItemTextW,ShowWindow,SetDlgItemTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,SendMessageW,SendDlgItemMessageW,GetDlgItem,SendMessageW,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,SendMessageW,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,

0_2_000000013FF7B190

Source: C:\Users\user\Desktop\0442.pdf.exe	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ms.msi" /qn	Jump to behavior
Source: C:\Users\user\Desktop\0442.pdf.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\start.bat" "	Jump to behavior
Source: C:\Users\user\Desktop\0442.pdf.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\user\AppData\Local\Temp\doc.pdf"	Jump to behavior
Source: C:\Users\user\Desktop\0442.pdf.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\user\AppData\Local\Temp\doc2.pdf"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping 8.8.8.8	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /server /siex /silentinstall	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /server /firewall	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process created: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe" /siex /silentinstall	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process created: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe" /firewall	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process created: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe" /start
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Process created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe"
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Process created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /tray

Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe

File opened: Windows Firewall: C:\Windows\SysWOW64\FirewallAPI.dll

Source: C:\Users\user\Desktop\0442.pdf.exe

Code function: 0_2_000000013FF6DC70 cpuid

0_2_000000013FF6DC70

Source: C:\Users\user\Desktop\0442.pdf.exe

Code function: GetLocaleInfoW,GetNumberFormatW,

0_2_000000013FF7A2CC

Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Jump to behavior

Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\SysWOW64\msiexec.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\0442.pdf.exe

Code function: 0_2_000000013FF80754 GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,MapViewOfFile,UnmapViewOfFile,CloseHandle,SetEnvironmentVariableW,GetLocalTime,swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,OleUninitialize,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,

0_2_000000013FF80754

Source: C:\Users\user\Desktop\0442.pdf.exe

Code function: 0_2_000000013FF64EB0 GetVersionExW,

0_2_000000013FF64EB0

Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

Directory queried: number of queries: 1224

Remote Access Functionality

Enables remote desktop connection

Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server AllowRemoteRPC

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	1 Replication Through Removable Media	1 Command and Scripting Interpreter	1 Scripting	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	OS Credential Dumping	1 System Time Discovery	1 Remote Desktop Protocol	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	11 Obfuscated Files or Information	LSASS Memory	11 Peripheral Device Discovery	Remote Desktop Protocol	1 Clipboard Data	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Windows Service	1 Windows Service	1 Software Packing	Security Account Manager	12 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	1 Registry Run Keys / Startup Folder	11 Process Injection	1 DLL Side-Loading	NTDS	55 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 Registry Run Keys / Startup Folder	1 File Deletion	LSA Secrets	2 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	222 Masquerading	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Modify Registry	DCSync	1 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Virtualization/Sandbox Evasion	Proc Filesystem	1 Remote System Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	11 Process Injection	/etc/passwd and /etc/shadow	1 System Network Configuration Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
0442.pdf.exe	26%	ReversingLabs	Win64.Trojan.Uztuby
0442.pdf.exe	47%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner
C:\Program Files (x86)\LiteManager Pro - Server\AledensoftIpcServer.dll	0%	ReversingLabs
C:\Program Files (x86)\LiteManager Pro - Server\HookDrv.dll	0%	ReversingLabs
C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	3%	ReversingLabs
C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	8%	ReversingLabs
C:\Program Files (x86)\LiteManager Pro - Server\ROMwln.dll	0%	ReversingLabs
C:\Program Files (x86)\LiteManager Pro - Server\files\ROMServer.exe	3%	ReversingLabs
C:\Program Files (x86)\LiteManager Pro - Server\files\ROMViewer.exe	3%	ReversingLabs
C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\ARPPRODUCTICON.exe	0%	ReversingLabs
C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\ROMServer.exe_9D09B2BC25A2414CBD848E2B75898676.exe	0%	ReversingLabs
C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\UNINST_Uninstall_L_78AA5B6662514D94A847D6C603AF0895.exe	0%	ReversingLabs
C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\config_server_B6BD2967C67B44649764F06ADFFD6458.exe	0%	ReversingLabs
C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\stop_server_51B516B87C64408FA3C56354EA2277C2.exe	0%	ReversingLabs
C:\Windows\SysWOW64\ROMwln.dll	0%	ReversingLabs

Source	Detection	Scanner	Label	Link
http://litemanager.com/03Q	0%	Avira URL Cloud	safe
http://litemanager.com/03T	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://litemanager.com/1	ROMServer.exe, 00000011.00000002.765338203.000000000150C000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe, 00000014.00000002.765257050.000000000253C000.00000004.00001000.00020000.00000000.sdmp	false		high
http://litemanager.ru/	ROMFUSClient.exe, 00000009.00000000.383021040.00000000008E4000.00000002.00000001.01000000.00000007.sdmp, ROMServer.exe, 0000000A.00000000.384080641.00000000009FE000.00000002.00000001.01000000.00000008.sdmp, ROMFUSClient.exe.8.dr	false		high
http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0	ROMFUSClient.exe.8.dr	false		high
https://litemanager.com/soft/pro/ROMServer.zip	ROMFUSClient.exe, 00000009.00000000.382903108.0000000000401000.00000020.00000001.01000000.00000007.sdmp, ROMServer.exe, 0000000A.00000000.383524670.0000000000401000.00000020.00000001.01000000.00000008.sdmp, ROMFUSClient.exe.8.dr, ROMServer.exe0.8.dr	false		high
https://sectigo.com/CPS0	ROMFUSClient.exe.8.dr	false		high
http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#	ROMFUSClient.exe.8.dr	false		high
https://litemanager.com/romversion.txt	ROMFUSClient.exe, 00000009.00000000.382903108.0000000000401000.00000020.00000001.01000000.00000007.sdmp, ROMServer.exe, 0000000A.00000000.383524670.0000000000401000.00000020.00000001.01000000.00000008.sdmp, ROMFUSClient.exe.8.dr, ROMServer.exe0.8.dr	false		high
http://crl.thawte.com/ThawteTimestampingCA.crl0	0442.pdf.exe, 00000000.00000003.366872053.0000000002EB8000.00000004.00000020.00020000.00000000.sdmp, 0442.pdf.exe, 00000000.00000003.366872053.0000000002EF6000.00000004.00000020.00020000.00000000.sdmp, ms.msi.0.dr	false		high
http://ocsp.sectigo.com0	ROMFUSClient.exe.8.dr	false		high
http://www.symauth.com/rpa00	0442.pdf.exe, 00000000.00000003.366872053.0000000002EB8000.00000004.00000020.00020000.00000000.sdmp, 0442.pdf.exe, 00000000.00000003.366872053.0000000002EF6000.00000004.00000020.00020000.00000000.sdmp, ms.msi.0.dr	false		high
http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z	ROMFUSClient.exe.8.dr	false		high
http://ocsp.thawte.com0	0442.pdf.exe, 00000000.00000003.366872053.0000000002EB8000.00000004.00000020.00020000.00000000.sdmp, 0442.pdf.exe, 00000000.00000003.366872053.0000000002EF6000.00000004.00000020.00020000.00000000.sdmp, ms.msi.0.dr	false		high
http://litemanager.com/03Q	ROMServer.exe, 00000011.00000002.765338203.0000000001513000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://litemanager.ru/noip.txtU	ROMServer.exe, 0000000A.00000000.383524670.0000000000401000.00000020.00000001.01000000.00000008.sdmp, ROMServer.exe0.8.dr	false		high
http://litemanager.com/03T	ROMFUSClient.exe, 00000014.00000002.765257050.0000000002543000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://litemanager.com/	ROMFUSClient.exe, 00000009.00000000.383021040.00000000008E4000.00000002.00000001.01000000.00000007.sdmp, ROMServer.exe, 0000000A.00000000.384080641.00000000009FE000.00000002.00000001.01000000.00000008.sdmp, ROMServer.exe, 00000011.00000002.765338203.000000000150C000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe, 00000014.00000002.765257050.000000000253C000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe, 00000014.00000002.765257050.000000000243D000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe.8.dr, Taiwan.lg.8.dr	false		high
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s	ROMFUSClient.exe.8.dr	false		high
http://www.indyproject.org/	ROMFUSClient.exe, 00000009.00000000.382903108.0000000000401000.00000020.00000001.01000000.00000007.sdmp, ROMFUSClient.exe, 00000009.00000003.386948729.000000000259F000.00000004.00001000.00020000.00000000.sdmp, ROMServer.exe, 0000000A.00000003.386085562.00000000028AF000.00000004.00001000.00020000.00000000.sdmp, ROMServer.exe, 0000000A.00000000.383524670.0000000000951000.00000020.00000001.01000000.00000008.sdmp, ROMFUSClient.exe, 0000000D.00000003.394358890.00000000026CF000.00000004.00001000.00020000.00000000.sdmp, ROMServer.exe, 0000000E.00000003.392280910.00000000026AF000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe, 0000000F.00000003.411410672.000000000265F000.00000004.00001000.00020000.00000000.sdmp, ROMServer.exe, 00000010.00000003.410549584.000000000279F000.00000004.00001000.00020000.00000000.sdmp, ROMServer.exe, 00000011.00000002.765338203.000000000147F000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe, 00000013.00000002.765264811.00000000024CF000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe, 00000014.00000002.765257050.00000000024AF000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe.8.dr, ROMServer.exe0.8.dr	false		high
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#	ROMFUSClient.exe.8.dr	false		high
http://www.symauth.com/cps0(	0442.pdf.exe, 00000000.00000003.366872053.0000000002EB8000.00000004.00000020.00020000.00000000.sdmp, 0442.pdf.exe, 00000000.00000003.366872053.0000000002EF6000.00000004.00000020.00020000.00000000.sdmp, ms.msi.0.dr	false		high
http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#	ROMFUSClient.exe.8.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
101.99.91.150	unknown	Malaysia		45839	SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY	false

Private

IP
192.168.2.255

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1580689
Start date and time:	2024-12-25 17:21:56 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 1s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	0442.pdf.exe renamed because original name is a hash value
Original Sample Name:	.pdf.exe
Detection:	MAL
Classification:	mal84.troj.evad.winEXE@41/43@0/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 77 Number of non-executed functions: 91
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 23.195.60.171, 95.100.170.49, 95.100.170.57
Excluded domains from analysis (whitelisted): ssl.adobe.com.edgekey.net, armmf.adobe.com, e4578.dscb.akamaiedge.net, acroipm2.adobe.com.edgesuite.net, a122.dscd.akamai.net, acroipm2.adobe.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryDirectoryFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY	94e.exe	Get hash	malicious	Remcos	Browse	101.99.94.64
	94e.exe	Get hash	malicious	Remcos	Browse	101.99.94.64
	0442.pdf.exe	Get hash	malicious	Remcos	Browse	101.99.94.64
	file.exe	Get hash	malicious	Invicta Stealer, XWorm	Browse	101.99.92.189
	http://www.recorderkorea.com/shop/proc/indb.cart.tab.php?action=ok&tab=today&type=delete&returnUrl=https://23058.hicleanly.ca/uoeujd/shuhsdy/odog/kratos/REDIRECT/Zl2jyY/compliance@yourmom.com	Get hash	malicious	Unknown	Browse	101.99.81.34
	lg1wwLsmCX.exe	Get hash	malicious	Unknown	Browse	101.99.75.174

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Program Files (x86)\LiteManager Pro - Server\HookDrv.dll	0438.pdf.exe	Get hash	malicious	Unknown	Browse
	0438.pdf.exe	Get hash	malicious	Unknown	Browse
	gBYz86HSwI.msi	Get hash	malicious	Unknown	Browse
	0438.pdf.exe	Get hash	malicious	Unknown	Browse
	0438.pdf.exe	Get hash	malicious	Unknown	Browse
	0438.pdf.exe	Get hash	malicious	Unknown	Browse
C:\Program Files (x86)\LiteManager Pro - Server\AledensoftIpcServer.dll	0438.pdf.exe	Get hash	malicious	Unknown	Browse
	0438.pdf.exe	Get hash	malicious	Unknown	Browse
	gBYz86HSwI.msi	Get hash	malicious	Unknown	Browse
	0438.pdf.exe	Get hash	malicious	Unknown	Browse
	0438.pdf.exe	Get hash	malicious	Unknown	Browse
	0438.pdf.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Config.Msi\49c0c3.rbs

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	23375
Entropy (8bit):	5.134608756500372
Encrypted:	false
SSDEEP:	384:RH7WtPtOCqZ+cNbynfhzOj3I6oFJsZssOVa:RH6tPtOCqZ+cNbynf5H6oFJWXMa
MD5:	B91D0351210AACD75AD087A91436776A
SHA1:	AA88E962EDD525048B4748FBC34AD4E605A64BF2
SHA-256:	E3FB271F9E91154B6B46A5E2232FE45F900BE4917DBB2D035BE8E9D36AAEB9F7
SHA-512:	74987422AF2E66265676270F6F357DEB3DE856BE8E05EBF4BE373D5A888A9A73FA75F66F5C9C91B33D9E9A3C3E96A9C50B41CCB65291D1BEBE38374F6F39236F
Malicious:	false
Preview:	...@IXOS.@.....@.Z.Y.@.....@.....@.....@.....@.....@......&.{71FFA475-24D5-44FB-A51F-39B699E3D82C}..LiteManager Pro - Server..ms.msi.@.....@.....@.....@......ARPPRODUCTICON.exe..&.{9EF586E9-112B-4AAE-B439-5B62B7A0B1DE}.....@.....@.....@.....@.......@.....@.....@.......@......LiteManager Pro - Server......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{3244CDE6-6414-4399-B0D5-424562747210}&.{71FFA475-24D5-44FB-A51F-39B699E3D82C}.@......&.{4D4D18AA-F74D-4291-B5A9-93C3CC48B75F}&.{71FFA475-24D5-44FB-A51F-39B699E3D82C}.@......&.{641F154A-FEEF-4FA7-B5BF-414DB1DB8390}&.{71FFA475-24D5-44FB-A51F-39B699E3D82C}.@......&.{26EAB54E-4659-47E8-86F9-4CB74F7E03BE}&.{71FFA475-24D5-44FB-A51F-39B699E3D82C}.@......&.{596F4636-5D51-49F5-B3B4-F3C366E9DC23}&.{71FFA475-24D5-44FB-A51F-39B699E3D82C}.@......&.{596F4636-5D51-49F5-B3B4-F3C366E9DC23}&.{00000000-0000-0000-0000-000000000000}.@......&.{A3DC5A2F-2249-4674-BE

C:\Program Files (x86)\LiteManager Pro - Server\AledensoftIpcServer.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	132032
Entropy (8bit):	6.10195829980833
Encrypted:	false
SSDEEP:	3072:sh/1J7RYdzZU4Z5tegH1q888888888888W888888888882zgP:sh/jIZPZ5tJ8888888888888W888888s
MD5:	C40455A478E0B76521130D9DAAAADC4B
SHA1:	42DE923D5E36A9F56B002DD66DB245BC44480089
SHA-256:	308085BC357BF3A3BEE0D662FCC01628E9EE2FFD478AE0F1E7140939AD99B892
SHA-512:	76ED6D763F603BCAA7FE186C0A7449E614DCDB18036F7587C6E5A11C3F3269E400E3D2062856CC280AC20C094617924783B6C360F25AF66767DCC53C2F3045C9
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: 0438.pdf.exe, Detection: malicious, Browse Filename: 0438.pdf.exe, Detection: malicious, Browse Filename: gBYz86HSwI.msi, Detection: malicious, Browse Filename: 0438.pdf.exe, Detection: malicious, Browse Filename: 0438.pdf.exe, Detection: malicious, Browse Filename: 0438.pdf.exe, Detection: malicious, Browse
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....xK............................p........ ..........................................................................\.......\...............................x#...................................................................................text...$........................... ..`.itext.............................. ..`.data...0.... ......................@....bss....xN...@...........................idata..\...........................@....edata..\............&..............@..@.reloc..x#.......$...(..............@..B.rsrc................L..............@..@....................................@..@........................................................................................................................................

C:\Program Files (x86)\LiteManager Pro - Server\EULA.rtf

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1251, default language ID 1049
Category:	dropped
Size (bytes):	58679
Entropy (8bit):	4.738446173390891
Encrypted:	false
SSDEEP:	768:bkJC7UF9eVWSlBY8Aq9CBGDtD8gX1ZDCZjewbAsCw1vPDQuJPQzusxxeCNHnPPsT:htwqueMZYU
MD5:	BAED4E7AF33F77350D454B69317EE63B
SHA1:	2B598774F0C73850A36117F29EA8DAC57BE1C138
SHA-256:	671D65183C39E53FC1759C45B105A0FBE2D3A216E4099B66D5FCF274EA625E07
SHA-512:	E740997BDECB8F907A000D01BF3E823898A1289D1DBFAE5BF342D4BCB6FF09D258317955F4FD858FF6B239E5BA08E49E90CDEC06E24DABDB18C1CF2D8943590C
Malicious:	false
Preview:	{\rtf1\ansi\ansicpg1251\uc1\deff0\stshfdbch0\stshfloch37\stshfhich37\stshfbi37\deflang1049\deflangfe1049{\fonttbl{\f0\froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman{\\falt Times New Roman};}..{\f1\fswiss\fcharset204\fprq2{\\panose 020b0604020202020204}Arial;}{\f2\fmodern\fcharset204\fprq1{\\panose 02070309020205020404}Courier New;}{\f3\froman\fcharset2\fprq2{\\panose 05050102010706020507}Symbol;}..{\f10\fnil\fcharset2\fprq2{\\panose 05000000000000000000}Wingdings;}{\f37\fswiss\fcharset204\fprq2{\\panose 020f0502020204030204}Calibri;}{\f211\froman\fcharset0\fprq2 Times New Roman{\\falt Times New Roman};}..{\f209\froman\fcharset238\fprq2 Times New Roman CE{\\falt Times New Roman};}{\f212\froman\fcharset161\fprq2 Times New Roman Greek{\\falt Times New Roman};}{\f213\froman\fcharset162\fprq2 Times New Roman Tur{\\falt Times New Roman};}..{\f214\froman\fcharset177\fprq2 Times New Roman (Hebrew){\\falt Times New Roman};}{\f215\froman\fcharset178\fprq2 Time

C:\Program Files (x86)\LiteManager Pro - Server\English.lg

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	89220
Entropy (8bit):	3.469297258214741
Encrypted:	false
SSDEEP:	768:YvozCzKUNNfMnuQhgdXT0Z2BPshK+4aCWpQJ3OEInKDcbztlXnpQbbMv3PI:Yvoz4TXTI2pQCWOJvgXnpQbS3PI
MD5:	B1C96EF24061BF294CAC6C4C9CBF7757
SHA1:	5D1B1934091E257B5F1C69B13F5FC1E424348584
SHA-256:	20DB884523DA62C20F80B8A3BB71E11091B90A443B83C06D8FE2A1BBC00C1C33
SHA-512:	6E90562FD804F91DDADEF2310551063D34B859FF1CC6E58A41667E9CDA062DCA851C8455882EF47CF3E1A8EC21EBD9F0761F15E54174CC4A95427238CB39BA14
Malicious:	false
Preview:	..[._.s.y.s.t.e.m.].....l.a.n.g.u.a.g.e._.i.d.=.1.0.3.3.........[._.m.e.s.s.a.g.e.s.].....w.e.b._.s.i.t.e. .=. .h.t.t.p.:././.l.i.t.e.m.a.n.a.g.e.r...c.o.m./.....q.u.e.s.t.i.o.n. .=. .Q.u.e.s.t.i.o.n.....e.r.r.o.r. .=. .E.r.r.o.r.....i.n.f.o.r.m.a.t.i.o.n. .=. .I.n.f.o.r.m.a.t.i.o.n.....n.o.t.i.f.i.c.a.t.i.o.n. .=. .N.o.t.i.f.i.c.a.t.i.o.n.....f.m._.s.e.t.t.i.n.g.s._.u.n.a.b.l.e._.r.e.a.d._.c.o.n.f.i.g.u.r.a.t.i.o.n. .=. .C.a.n. .n.o.t. .r.e.a.d. .s.e.r.v.i.c.e. .c.o.n.f.i.g.u.r.a.t.i.o.n...\.n.;.R.e.i.n.s.t.a.l.l. .L.i.t.e.M.a.n.a.g.e.r. .s.e.r.v.i.c.e.?.....f.m._.s.e.t.t.i.n.g.s._.u.n.a.b.l.e._.s.e.t._.s.t.a.r.t.u.p._.m.o.d.e. .=. .C.a.n. .n.o.t. .s.e.t. .L.i.t.e.M.a.n.a.g.e.r. .S.e.r.v.e.r. .s.e.r.v.i.c.e. .s.t.a.r.t.u.p. .m.o.d.e.......f.m._.s.e.t.t.i.n.g.s._.u.n.a.b.l.e._.s.e.t._.s.t.a.r.t.u.p._.m.o.d.e._.r.e.s.t.a.r.t. .=. .C.a.n. .n.o.t. .s.e.t. .L.i.t.e.M.a.n.a.g.e.r. .S.e.r.v.e.r. .s.e.r.v.i.c.e. .s.t.a.r.t.u.p. .m.o.d.e...\.n.;.R.e.b.o.o.t. .s.y.s.t.e.m.,. .p.l.e.a.s.e.......

C:\Program Files (x86)\LiteManager Pro - Server\HookDrv.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	201728
Entropy (8bit):	6.3607488106285075
Encrypted:	false
SSDEEP:	3072:rmqdVRkbN1G3OKtVLqKc3IuQquARCASmShKJ:rmyTmNw3zqKcFLRs
MD5:	1D4F8CFC7BBF374CCC3AAE6045B2133D
SHA1:	802EDF0B0ED1D0305BCD6688EE3301366FEC1337
SHA-256:	C04885562F17BAEEFBCD2D4FC29F054EB8A66C44BD015750498C69A912D94C1F
SHA-512:	68643A30FEA87B2B61AF546F42BF32A25459152C1BCCE5A8A881714139CE828DFE4237874FF1E9CC3B78D6CDBEF7DD45C9F3459C3337D83693C704C274AFFF3E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: 0438.pdf.exe, Detection: malicious, Browse Filename: 0438.pdf.exe, Detection: malicious, Browse Filename: gBYz86HSwI.msi, Detection: malicious, Browse Filename: 0438.pdf.exe, Detection: malicious, Browse Filename: 0438.pdf.exe, Detection: malicious, Browse Filename: 0438.pdf.exe, Detection: malicious, Browse
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...\|..[.................\...........v............@.................................................................. ...................@...................@...G..................................................$................................text....S.......T.................. ..`.itext..D....p.......X.............. ..`.data...<............`..............@....bss....<Y...............................idata...............z..............@....didata.............................@....edata....... ......................@..@.rdata..E....0......................@..@.reloc...G...@...H..................@..B.rsrc....@.......@..................@..@....................................@..@........................................................

C:\Program Files (x86)\LiteManager Pro - Server\Lang\Taiwan.lg

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	61034
Entropy (8bit):	4.429529654892776
Encrypted:	false
SSDEEP:	768:nebbtdP4XFsh6HWiIZTYp7JtMLG54ttg2kGPyWtvQTznCKDMlV2f:ne3KOhTTocL8HnMlV2f
MD5:	7303B5AE0B8911CEB238DC01419695BE
SHA1:	22B89BDB8FAEC62BA3E66639E38E6271B593944A
SHA-256:	88155FB3F0E198AA4A24F9CFECBB83C5A4E081C6EA362BC50294410CB2FB5C50
SHA-512:	8AE802616AF60BAF214E254F6A55D312DC46B6E3F8BEE5F50E30E372FF38103776278B5FB07A562C2149EEA58107CB427A03B1629F72044AB69D3507E5DFAB15
Malicious:	false
Preview:	[._.s.y.s.t.e.m.].....l.a.n.g.u.a.g.e._.i.d.=.1.0.2.8.........[._.m.e.s.s.a.g.e.s.].....w.e.b._.s.i.t.e. .=. .h.t.t.p.:././.l.i.t.e.m.a.n.a.g.e.r...c.o.m./.....q.u.e.s.t.i.o.n. .=. .OUL.....e.r.r.o.r. .=. ./.......i.n.f.o.r.m.a.t.i.o.n. .=. ........n.o.t.i.f.i.c.a.t.i.o.n. .=. ....w....f.m._.s.e.t.t.i.n.g.s._.u.n.a.b.l.e._.r.e.a.d._.c.o.n.f.i.g.u.r.a.t.i.o.n. .=. .!q.l...S.g.RD}Ka.0\.n.;...e.[. .L.i.t.e.M.a.n.a.g.e.r. ..g.R?.....f.m._.s.e.t.t.i.n.g.s._.u.n.a.b.l.e._.s.e.t._.s.t.a.r.t.u.p._.m.o.d.e. .=. .!q.l-..[ .L.i.t.e.M.a.n.a.g.e.r. .:O.ghV.g.R_U.R!j._.0....f.m._.s.e.t.t.i.n.g.s._.u.n.a.b.l.e._.s.e.t._.s.t.a.r.t.u.p._.m.o.d.e._.r.e.s.t.a.r.t. .=. .!q.l-..[ .L.i.t.e.M.a.n.a.g.e.r. .:O.ghV.g.R_U.R!j._.0\.n.;....e.._j.\|q}.0....f.m._.s.e.t.t.i.n.g.s._.r.e.s.t.a.r.t._.s.e.r.v.i.c.e._.t.o._.a.p.p.l.y. .=. ....e_U.R .L.M. .:O.ghV.a(u.z._.NWY(u...f.0....f.m._.s.e.c.u.r.i.t.y._.f.o.r.c.e._.g.u.e.s.t. .=. .7_6R.O.(Wdk.\|q}.N-..[.....asTW.@b.g.}..O(u.....S.g.O.X[.S.kP..0 .!q.l.O(u.07_

C:\Program Files (x86)\LiteManager Pro - Server\Lang\Turkish.lg

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	58794
Entropy (8bit):	3.642324420313977
Encrypted:	false
SSDEEP:	768:D+XPobz4qFlRiiXc0HwgHSSxnrKT7nke7GShFBy/x97fuTLY57aC7I/Fj:yPQMw1ZOT7kef1y/X7fuTq4j
MD5:	606DC375E898D7221CCB7CEB8F7C686B
SHA1:	26DCF93876C89283623B8150C1B79EDB24B6A7EC
SHA-256:	F442E440580EA35040E35BF1D85A118E7C182FDE0B9BA2A3C1816DEAB5F822BB
SHA-512:	9FBC42165B51A2020D2DA2FFE33287A4F3AA33639126813B290D329D47C4F4DA8F297A47AF3C1F63AF6F9E1BA47ACE840BC1660D603E17589E5DB6DDA0E1E5B1
Malicious:	false
Preview:	..[._.s.y.s.t.e.m.].....l.a.n.g.u.a.g.e._.i.d.=.1.0.5.5.........[._.m.e.s.s.a.g.e.s.].....w.e.b._.s.i.t.e. .=. .h.t.t.p.:././.l.i.t.e.m.a.n.a.g.e.r...c.o.m./.....q.u.e.s.t.i.o.n. .=. .S.o.r.u.....e.r.r.o.r. .=. .H.a.t.a.....i.n.f.o.r.m.a.t.i.o.n. .=. .B.i.l.g.i.....n.o.t.i.f.i.c.a.t.i.o.n. .=. .B.i.l.d.i.r.i.m.....f.m._.s.e.t.t.i.n.g.s._.u.n.a.b.l.e._.r.e.a.d._.c.o.n.f.i.g.u.r.a.t.i.o.n. .=. .H.i.z.m.e.t. .y.a.p.1.l.a.n.d.1.r.m.a.s.1. .o.k.u.n.a.m.1.y.o.r...\.n.;.L.i.t.e.M.a.n.a.g.e.r. .h.i.z.m.e.t.i.n.i. .y.e.n.i.d.e.n. .y...k.l.e.m.e.k. .m.i. .i.s.t.i.y.o.r.s.u.n.u.z.?.....f.m._.s.e.t.t.i.n.g.s._.u.n.a.b.l.e._.s.e.t._.s.t.a.r.t.u.p._.m.o.d.e. .=. .L.i.t.e.M.a.n.a.g.e.r. .h.i.z.m.e.t. .b.a._.l.a.n.g.1... .m.o.d.u.n.u. .a.y.a.r.l.a.y.a.m.1.y.o.r.......f.m._.s.e.t.t.i.n.g.s._.u.n.a.b.l.e._.s.e.t._.s.t.a.r.t.u.p._.m.o.d.e._.r.e.s.t.a.r.t. .=. .L.i.t.e.M.a.n.a.g.e.r. .h.i.z.m.e.t. .b.a._.l.a.n.g.1... .m.o.d.u.n.u. .a.y.a.r.l.a.y.a.m.1.y.o.r...\.n.;.S.i.s.t.e.m.i. .y.e.n.i.d.e.n. .b.a._.l.

C:\Program Files (x86)\LiteManager Pro - Server\Lang\Ukrainian.lg

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Unicode text, UTF-16, little-endian text, with very long lines (305), with CRLF line terminators
Category:	dropped
Size (bytes):	87912
Entropy (8bit):	4.303374267443204
Encrypted:	false
SSDEEP:	768:VUlHxa/yEOYEJNHWjlUu1pZ26ER2nkUTbfk74Q:aNxWREb4lUu1P29R2JbfC4Q
MD5:	3FC082E8F516EAD9FC26AC01E737F9EF
SHA1:	3B67EBCE4400DDCF6B228E5668F3008561FB8F21
SHA-256:	3DC0CEAE11F445B57B17B7C35A90B5133E313CF6B61550AB418252C5B8089C99
SHA-512:	9A9D20AF2F8C27056F58AB5A9C687F5124CE5F6D563E396C9558331FB8BE48E88E148B1FDC548A5EBDEDB451E3D89F2F96856F3BBFD695691D5687599F376421
Malicious:	false
Preview:	..[._.s.y.s.t.e.m.].....l.a.n.g.u.a.g.e._.i.d. .=. .1.0.5.8.........[._.m.e.s.s.a.g.e.s.].....w.e.b._.s.i.t.e. .=. .h.t.t.p.:././.l.i.t.e.m.a.n.a.g.e.r...r.u./.....q.u.e.s.t.i.o.n. .=. ...8.B.0.=.=.O.....e.r.r.o.r. .=. ...>.<.8.;.:.0.....i.n.f.o.r.m.a.t.i.o.n. .=. ...=.D.>.@.<.0.F.V.O.....n.o.t.i.f.i.c.a.t.i.o.n. .=. ...>.2.V.4.>.<.;.5.=.=.O.....f.m._.s.e.t.t.i.n.g.s._.u.n.a.b.l.e._.r.e.a.d._.c.o.n.f.i.g.u.r.a.t.i.o.n. .=. ...5.<.>.6.;.8.2.>. .?.@.>.G.8.B.0.B.8. .:.>.=.D.V.3.C.@.0.F.V.N. .A.;.C.6.1.8...\.n.;...5.@.5.2.A.B.0.=.>.2.8.B.8. .L.i.t.e.M.a.n.a.g.e.r. .S.e.r.v.e.r.?.....f.m._.s.e.t.t.i.n.g.s._.u.n.a.b.l.e._.s.e.t._.s.t.a.r.t.u.p._.m.o.d.e. .=. ...5.<.>.6.;.8.2.>. .2.A.B.0.=.>.2.8.B.8. .@.5.6.8.<. .7.0.?.C.A.:.C. .A.;.C.6.1.8. .L.i.t.e.M.a.n.a.g.e.r. .S.e.r.v.e.r.......f.m._.s.e.t.t.i.n.g.s._.u.n.a.b.l.e._.s.e.t._.s.t.a.r.t.u.p._.m.o.d.e._.r.e.s.t.a.r.t. .=. ...5.<.>.6.;.8.2.>. .2.A.B.0.=.>.2.8.B.8. .@.5.6.8.<. .7.0.?.C.A.:.C. .A.;.C.6.1.8. .L.i.t.e.M.a.n.a.g.e.r. .S.e.r.v.e.r.

C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6307408
Entropy (8bit):	6.5944937257467116
Encrypted:	false
SSDEEP:	98304:NwiA/GmKEt3LQ7V8z3uHWkd49GMdqOxaB:NOGmKEt31kd2dqwaB
MD5:	63D0964168B927D00064AA684E79A300
SHA1:	B4B9B0E3D92E8A3CBE0A95221B5512DED14EFB64
SHA-256:	33D1A34FEC88CE59BEB756F5A274FF451CAF171A755AAE12B047E678929E8023
SHA-512:	894D8A25E9DB3165E0DAAE521F36BBD6F9575D4F46A2597D13DEC8612705634EFEA636A3C4165BA1F7CA3CDC4DC7D4542D0EA9987DE10D2BC5A6ED9D6E05AECB
Malicious:	false
Yara Hits:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......f..................C..F........C.......C...@.......................... i.......`..........@................... N.......M..A...@T...............`.P"...PN.<............................@N.......................M.......N......................text.....C.......C................. ..`.itext...0....C..2....C............. ..`.data... 3....C..4....C.............@....bss........0E..........................idata...A....M..B....E.............@....didata.......N......LE.............@....edata....... N......ZE.............@..@.tls....X....0N..........................rdata..]....@N......\E.............@..@.reloc..<....PN......^E.............@..B.rsrc........@T......DK.............@..@............. i.......`.............@..@................

C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	7753808
Entropy (8bit):	6.615075046955521
Encrypted:	false
SSDEEP:	98304:D4/WZQ7lc63BJGS1VFeIEll251o7+YcMBk2VVyN/RTfCAFIqOx9N:DXQ7SIEXeMBk2V4N/Nq2Iqw9N
MD5:	F3D74B072B9697CF64B0B8445FDC8128
SHA1:	8408DA5AF9F257D12A8B8C93914614E9E725F54C
SHA-256:	70186F0710D1402371CE2E6194B03D8A153443CEA5DDB9FC57E7433CCE96AE02
SHA-512:	004054EF8CDB9E2FEFC3B7783574BFF57D6D5BF9A4624AD88CB7ECCAE29D4DFD2240A0DC60A14480E6722657132082332A3EC3A7C49D37437644A31E59F551AF
Malicious:	true
Yara Hits:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...w#.f.................ZU... ......qU.......U...@.......................... ........v..........@...................._......`_..K....g.. ............v.P"...._.4............................._..................... m_.\|....._......................text....&U......(U................. ..`.itext..$1...@U..2...,U............. ..`.data....@....U..B...^U.............@....bss....0.....V..........................idata...K...`_..L....V.............@....didata......._.......V.............@....edata........_.......V.............@..@.tls....`....._..........................rdata..]....._.......V.............@..@.reloc..4....._.......V.............@..B.rsrc.... ....g.. ....^.............@..@............. ........v.............@..@................

C:\Program Files (x86)\LiteManager Pro - Server\ROMwln.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	999944
Entropy (8bit):	6.626732213066839
Encrypted:	false
SSDEEP:	12288:SA9+TVJdg0YMgqAahyv0jKdTq4lrBhqSq/rt8VwGFrt:SRho0lgqA6yvnrBhq/rQDt
MD5:	ED32E23322D816C3FE2FC3D05972689E
SHA1:	5EEA702C9F2AC0A1AADAE25B09E7983DA8C82344
SHA-256:	7F33398B98E225F56CD287060BEFF6773ABB92404AFC21436B0A20124919FE05
SHA-512:	E505265DD9D88B3199EB0D4B7D8B81B2F4577FABD4271B3C286366F3C1A58479B4DC40CCB8F0045C7CD08FD8BF198029345EEF9D2D2407306B73E5957AD59EDF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...`.-\.................J...........X.......`....@.................................................................. ...................@...........0.......@.. O...................................................................................text...0?.......@.................. ..`.itext..8....P.......D.............. ..`.data....:...`...<...N..............@....bss.....]...............................idata..............................@....didata.............................@....edata....... ......................@..@.rdata..E....0......................@..@.reloc.. O...@...P..................@..B.rsrc....@.......@..................@..@.....................0..............@..@........................................................

C:\Program Files (x86)\LiteManager Pro - Server\Russian.lg

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	94772
Entropy (8bit):	4.284840986247552
Encrypted:	false
SSDEEP:	768:r1kyTyZFOTb6QeZGJXYbFAMrKARuZk7FRwZoFTa2n:rn+2iZGhYbK4KARpAoFTa2n
MD5:	0E204FABE68B4B65ED5E0834651FB732
SHA1:	B338A6E54AA18F3F8A573580520F16C74A51F3D2
SHA-256:	302373D81F0AE15589206420CB01A266804C9FD1C1FF0D6E09CE6BA3FEF92B64
SHA-512:	AAD76F6A76DC693D959389CE471BC585D0DA72737FED99F42F219FDC7C71617C00E8003A467092E12820A359D672C6FB80D99772F3F6433923B2ABB7EEA40F08
Malicious:	false
Preview:	..[._.s.y.s.t.e.m.].....l.a.n.g.u.a.g.e._.i.d.=.1.0.4.9.........[._.m.e.s.s.a.g.e.s.].....w.e.b._.s.i.t.e. .=. .h.t.t.p.:././.l.i.t.e.m.a.n.a.g.e.r...r.u./.....q.u.e.s.t.i.o.n. .=. ...>.?.@.>.A.....e.r.r.o.r. .=. ...H.8.1.:.0.....i.n.f.o.r.m.a.t.i.o.n. .=. ...=.D.>.@.<.0.F.8.O.....n.o.t.i.f.i.c.a.t.i.o.n. .=. ...?.>.2.5.I.5.=.8.5.....f.m._.s.e.t.t.i.n.g.s._.u.n.a.b.l.e._.r.e.a.d._.c.o.n.f.i.g.u.r.a.t.i.o.n. .=. ...5.2.>.7.<.>.6.=.>. .?.@.>.G.8.B.0.B.L. .:.>.=.D.8.3.C.@.0.F.8.N. .A.;.C.6.1.K...\.n.;...5.@.5.C.A.B.0.=.>.2.8.B.L. .L.i.t.e.M.a.n.a.g.e.r. .S.e.r.v.e.r.?.....f.m._.s.e.t.t.i.n.g.s._.u.n.a.b.l.e._.s.e.t._.s.t.a.r.t.u.p._.m.o.d.e. .=. ...5.2.>.7.<.>.6.=.>. .C.A.B.0.=.>.2.8.B.L. .@.5.6.8.<. .7.0.?.C.A.:.0. .A.;.C.6.1.K. .L.i.t.e.M.a.n.a.g.e.r. .S.e.r.v.e.r.......f.m._.s.e.t.t.i.n.g.s._.u.n.a.b.l.e._.s.e.t._.s.t.a.r.t.u.p._.m.o.d.e._.r.e.s.t.a.r.t. .=. ...5.2.>.7.<.>.6.=.>. .C.A.B.0.=.>.2.8.B.L. .@.5.6.8.<. .7.0.?.C.A.:.0. .A.;.C.6.1.K. .L.i.t.e.M.a.n.a.g.e.r. .S.e.r.v.e.r...\.n.

C:\Program Files (x86)\LiteManager Pro - Server\files\ROMServer.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	7752272
Entropy (8bit):	6.615186281886958
Encrypted:	false
SSDEEP:	98304:y4/WZQ7lc63BJGS1VFeIEll251o7+YcMBk2VVyN/RTfCEFIqOxJn:yXQ7SIEXeMBk2V4N/NqiIqwJn
MD5:	84FB34E529BEDE393A3F604EAA8137B2
SHA1:	195EA03B7BD086454A13C0D8357E0A9E447D9EC9
SHA-256:	1E396C4066AC8F421A54893442A0D76C4F8D4146E63825D67DFC0DA782E73EE5
SHA-512:	A48A80D62E588667B4C891CDED279BABFFA5FB4FDF092F345212F81D29A9ACAA06E6DB27B49DC601909409A3C82AA9272BCDF90D0AE1738E83E80D9FCA4D93E6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......f.................ZU... ......qU.......U...@.......................... ........v..........@...................._......`_..K....g..............(v.P"...._.4............................._..................... m_.\|....._......................text....&U......(U................. ..`.itext..$1...@U..2...,U............. ..`.data....@....U..B...^U.............@....bss....0.....V..........................idata...K...`_..L....V.............@....didata......._.......V.............@....edata........_.......V.............@..@.tls....`....._..........................rdata..]....._.......V.............@..@.reloc..4....._.......V.............@..B.rsrc.........g.......^.............@..@............. .......(v.............@..@................

C:\Program Files (x86)\LiteManager Pro - Server\files\ROMViewer.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11361360
Entropy (8bit):	6.496049600782297
Encrypted:	false
SSDEEP:	98304:AshiRp5hPI7N9sSA5wbZXJOu/0uOXZYfmQYanSjS+cWuNOlQpgfYLyPsd+QgBBP5:Al5hPwgvyAjDjS+igfgym+bHJxmK
MD5:	B0E355EC3453C8FFAEE08CD4257E96F2
SHA1:	0FA023CA8F1C1ECDADDE3DD3BD551870C2D965E2
SHA-256:	60248BA026064B116E4F94020DABB74DF519F5B4C41379CA19A38D725692CA8E
SHA-512:	B6004F83FD78EED84BF21611EFA45F2FFADF3625E0A2FDCDAE531B4734A4B886EBFE5EBE990DA42302B7368282D83DFFEF19E71DA8EC4C155EE5C8619AD028DD
Malicious:	false
Yara Hits:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Program Files (x86)\LiteManager Pro - Server\files\ROMViewer.exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......f..................v..67.......v...... v...@..........................0...................@...................p...........L...p....+..........:..P"...................................................................`.......................text.....u.......u................. ..`.itext...6....u..8....u............. ..`.data....R... v..T....v.............@....bss.........w..........................idata...L.......N...Xw.............@....didata......`........w.............@....edata.......p........w.............@..@.tls....`................................rdata..].............w.............@..@.reloc................w.............@..B.rsrc.....+..p....+.................@..@.............0.......:..............@..@................

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LiteManager Pro - Server\Settings for LM-Server.lnk

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Thu Aug 22 18:41:10 2024, mtime=Wed Dec 25 15:23:01 2024, atime=Thu Aug 22 18:41:10 2024, length=7753808, window=hide
Category:	dropped
Size (bytes):	2098
Entropy (8bit):	3.820083871559473
Encrypted:	false
SSDEEP:	48:8VdOKFouL1Zd5Y+d5YsP5qoZkmrSUp8JWqoZkmReiN:8nFo19O5qoZbcJWqoZbReiN
MD5:	DB4C0E72AFE3336686E7B6E36A2DF495
SHA1:	922A01893CAFE2965A277E4C395753427D6C469D
SHA-256:	B26124C140F3F79C4912BFE181B74D56808BDEC10D715F12F76B5194E1A2938B
SHA-512:	05F7ABDAC7698867C9F99D857696D9F6059D83F71AD8C627CD662A198FB6A8A54A02BDBFB60F8E26642B4584846DDE1439B7A8C85F016B76E3BA095C3421AA7D
Malicious:	false
Preview:	L..................F.@.. ......=......VD.V.....=....PPv..........................P.O. .:i.....+00.../C:\.....................1......Y....PROGRA~2..\|.......:...Y.....................R.....P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....v.1......Y...LITEMA~1..^......Y...Y..........................L.i.t.e.M.a.n.a.g.e.r. .P.r.o. .-. .S.e.r.v.e.r.....d.2.PPv..Y%. .ROMSER~1.EXE..H.......Y%..Y.*.........................R.O.M.S.e.r.v.e.r...e.x.e.......l...............-.......k...........h. .....C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe..L.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.L.i.t.e.M.a.n.a.g.e.r. .P.r.o. .-. .S.e.r.v.e.r.\.R.O.M.S.e.r.v.e.r...e.x.e.0.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.L.i.t.e.M.a.n.a.g.e.r. .P.r.o. .-. .S.e.r.v.e.r.\.../.c.o.n.f.i.g.n.C.:.\.W.i.n.d.o.w.s.\.I.n.s.t.a.l.l.e.r.\.{.7.1.F.F.A.4.7.5.-.2.4.D.5.-.4.4.F.B.-.A.5.1.F.-.3.9.B.6.9.9.E.3.D.8.2.C.}.\.c.o.n.f.i.g

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LiteManager Pro - Server\Start LM-Server.lnk

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, ctime=Sun Dec 31 23:25:52 1600, mtime=Sun Dec 31 23:25:52 1600, atime=Sun Dec 31 23:25:52 1600, length=0, window=hide
Category:	dropped
Size (bytes):	1878
Entropy (8bit):	3.180022631061714
Encrypted:	false
SSDEEP:	24:8NqdOeK5Jd5Yc/d5YcCP+MTyjvKDDTEVS7ky/4WTyjvKDDTEcUGxy:8wdOn5Jd5Y+d5YcCP5q2DT2S0Wq2DTM
MD5:	4FA9A649BCBCCE9B0F6FF515284D9F58
SHA1:	7B3B20DF66298B4FCC3D64B5FFF300340490109B
SHA-256:	B9169D8C1ABD09A3EB683FB03AF3E43CA5D23B11CDE85B351B6B35AE90B98F79
SHA-512:	49531CB7ED725193D56178A98E27887AF22C6056B3C452D34BEAEDFA037D40288A5F7FFC49C13B8BE30A05D2EF206007354589011EF077F27B77F650BED66CD4
Malicious:	false
Preview:	L..................F.@...........................................................P.O. .:i.....+00.../C:\...................v.1...........Program Files (x86).T.......................................P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)..."...1...........LiteManager Pro - Server..^.......................................L.i.t.e.M.a.n.a.g.e.r. .P.r.o. .-. .S.e.r.v.e.r...(.d.2...........ROMServer.exe.H..............*.........................R.O.M.S.e.r.v.e.r...e.x.e.......L.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.L.i.t.e.M.a.n.a.g.e.r. .P.r.o. .-. .S.e.r.v.e.r.\.R.O.M.S.e.r.v.e.r...e.x.e.0.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.L.i.t.e.M.a.n.a.g.e.r. .P.r.o. .-. .S.e.r.v.e.r.\.../.s.t.a.r.t.n.C.:.\.W.i.n.d.o.w.s.\.I.n.s.t.a.l.l.e.r.\.{.7.1.F.F.A.4.7.5.-.2.4.D.5.-.4.4.F.B.-.A.5.1.F.-.3.9.B.6.9.9.E.3.D.8.2.C.}.\.R.O.M.S.e.r.v.e.r...e.x.e._.9.D.0.9.B.2.B.C.2.5.A.2.4.1.4.C.B.D.8.4.8.E.2.B.7.5.8.9.8.6.7.6...e.x.e.........%SystemRoot%\Installer\{71F

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LiteManager Pro - Server\Stop LM-Server.lnk

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Thu Aug 22 18:41:10 2024, mtime=Wed Dec 25 15:23:01 2024, atime=Thu Aug 22 18:41:10 2024, length=7753808, window=hide
Category:	dropped
Size (bytes):	2090
Entropy (8bit):	3.8053286915620177
Encrypted:	false
SSDEEP:	48:8VdOKFouL1Zd5Y+d5Ys5qcxFWT84SslWqcxFWT84eiN:8nFo19s5qcxYT8SWqcxYT84eiN
MD5:	A66A49FB4A4CACF432F24E3C8F098DB9
SHA1:	DF3DA65A0F6C85669CD689BD134D4C438CE84EC7
SHA-256:	A54983B5EB4C34A71DDE5659647EACDFCF190113F09576337121E573A27BC921
SHA-512:	D6DC84B4DFCF3E78BA4DA326AE607D176941F737D6CECDCF20353CE68EB367BF6EDF7F2F2B5A9E72719A60B5AD60995E3F04826245111300B130083F695DD897
Malicious:	false
Preview:	L..................F.@.. ......=......VD.V.....=....PPv..........................P.O. .:i.....+00.../C:\.....................1......Y....PROGRA~2..\|.......:...Y.....................R.....P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....v.1......Y...LITEMA~1..^......Y...Y..........................L.i.t.e.M.a.n.a.g.e.r. .P.r.o. .-. .S.e.r.v.e.r.....d.2.PPv..Y%. .ROMSER~1.EXE..H.......Y%..Y.*.........................R.O.M.S.e.r.v.e.r...e.x.e.......l...............-.......k...........h. .....C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe..L.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.L.i.t.e.M.a.n.a.g.e.r. .P.r.o. .-. .S.e.r.v.e.r.\.R.O.M.S.e.r.v.e.r...e.x.e.0.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.L.i.t.e.M.a.n.a.g.e.r. .P.r.o. .-. .S.e.r.v.e.r.\.../.s.t.o.p.l.C.:.\.W.i.n.d.o.w.s.\.I.n.s.t.a.l.l.e.r.\.{.7.1.F.F.A.4.7.5.-.2.4.D.5.-.4.4.F.B.-.A.5.1.F.-.3.9.B.6.9.9.E.3.D.8.2.C.}.\.s.t.o.p._.s.e.r

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LiteManager Pro - Server\Uninstall LiteManager - Server.lnk

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has command line arguments, Icon number=0, Archive, ctime=Thu Mar 23 15:18:06 2017, mtime=Thu Mar 23 15:18:06 2017, atime=Thu Mar 23 15:18:06 2017, length=73216, window=hide
Category:	dropped
Size (bytes):	1884
Entropy (8bit):	3.7618004829144374
Encrypted:	false
SSDEEP:	24:8WiikpqQVmG9iNA3wB+sHyjv/+MTyjvejIKZDUHwGS7ke4WTyjvejIKZDUHwI6yv:8W5kVz9iGeHOn5qmjlt6ScWqmjltf9u
MD5:	019789AF7244A0D78893838705EF5396
SHA1:	DF14B7F7CA74870EE89AF734F40F20A0025AE376
SHA-256:	04BE6C6CA6EE5510170C0D550DF7B19944F1AD6DE79D2A95A477977A3B074445
SHA-512:	C1F1EB8592674D2F958225CDB57F0956F3DD3E3A27FC463232C4407BE1B79315E01A2B1ACDBA5EEA52E09538E52EC1515CA61BEF967431146697B94C57421F62
Malicious:	false
Preview:	L..................F.@.. ....:......:......:.............................5....P.O. .:i.....+00.../C:\...................R.1......WG...Windows.<.......:...WG....p.....................W.i.n.d.o.w.s.....V.1......Y...SysWOW64..>.......:...Y....".....................S.y.s.W.O.W.6.4.....^.2.....wJD. .msiexec.exe.D......wJD.wJD.*....[....................m.s.i.e.x.e.c...e.x.e.......N...............-.......M...........h. .....C:\Windows\SysWOW64\msiexec.exe........\.....\.....\.....\.....\.....\.W.i.n.d.o.w.s.\.S.y.s.W.O.W.6.4.\.m.s.i.e.x.e.c...e.x.e.)./.x. .{.7.1.F.F.A.4.7.5.-.2.4.D.5.-.4.4.F.B.-.A.5.1.F.-.3.9.B.6.9.9.E.3.D.8.2.C.}.s.C.:.\.W.i.n.d.o.w.s.\.I.n.s.t.a.l.l.e.r.\.{.7.1.F.F.A.4.7.5.-.2.4.D.5.-.4.4.F.B.-.A.5.1.F.-.3.9.B.6.9.9.E.3.D.8.2.C.}.\.U.N.I.N.S.T._.U.n.i.n.s.t.a.l.l._.L._.7.8.A.A.5.B.6.6.6.2.5.1.4.D.9.4.A.8.4.7.D.6.C.6.0.3.A.F.0.8.9.5...e.x.e.........%SystemRoot%\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\UNINST_Uninstall_L_78AA5B6662514D94A847D6C603AF0895.exe

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG

Download File

Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
File Type:	ASCII text
Category:	modified
Size (bytes):	292
Entropy (8bit):	5.209766714927152
Encrypted:	false
SSDEEP:	6:9Qyq2PP2nKuAl9OmbnIFUt8/G1Zmw+QeQRkwOP2nKuAl9OmbjLJ:3vWHAahFUt8O1/+QJ57HAaSJ
MD5:	6A77C0A4208C297C5FF557D1362EA798
SHA1:	8B7BD43F947B52F3322F517C0C93474505C3D70A
SHA-256:	B57CBEF6A480F83067A43E3D25949D20D48DA06A0BAF2A5EE466BC1C0B4A5B9C
SHA-512:	6CC90E55A870878527D9DCD5EA330BD78DE4F08270F5F0B47DDC92174DF709A767885292EDEB4F72C4EBF95914DC7A607B68B612A8A202D6D9621DA0AECCFC6F
Malicious:	false
Preview:	2024/12/25-11:23:07.724 4076 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/12/25-11:23:07.727 4076 Recovering log #3.2024/12/25-11:23:07.729 4076 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	292
Entropy (8bit):	5.209766714927152
Encrypted:	false
SSDEEP:	6:9Qyq2PP2nKuAl9OmbnIFUt8/G1Zmw+QeQRkwOP2nKuAl9OmbjLJ:3vWHAahFUt8O1/+QJ57HAaSJ
MD5:	6A77C0A4208C297C5FF557D1362EA798
SHA1:	8B7BD43F947B52F3322F517C0C93474505C3D70A
SHA-256:	B57CBEF6A480F83067A43E3D25949D20D48DA06A0BAF2A5EE466BC1C0B4A5B9C
SHA-512:	6CC90E55A870878527D9DCD5EA330BD78DE4F08270F5F0B47DDC92174DF709A767885292EDEB4F72C4EBF95914DC7A607B68B612A8A202D6D9621DA0AECCFC6F
Malicious:	false
Preview:	2024/12/25-11:23:07.724 4076 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/12/25-11:23:07.727 4076 Recovering log #3.2024/12/25-11:23:07.729 4076 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old~RF49e975.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	292
Entropy (8bit):	5.209766714927152
Encrypted:	false
SSDEEP:	6:9Qyq2PP2nKuAl9OmbnIFUt8/G1Zmw+QeQRkwOP2nKuAl9OmbjLJ:3vWHAahFUt8O1/+QJ57HAaSJ
MD5:	6A77C0A4208C297C5FF557D1362EA798
SHA1:	8B7BD43F947B52F3322F517C0C93474505C3D70A
SHA-256:	B57CBEF6A480F83067A43E3D25949D20D48DA06A0BAF2A5EE466BC1C0B4A5B9C
SHA-512:	6CC90E55A870878527D9DCD5EA330BD78DE4F08270F5F0B47DDC92174DF709A767885292EDEB4F72C4EBF95914DC7A607B68B612A8A202D6D9621DA0AECCFC6F
Malicious:	false
Preview:	2024/12/25-11:23:07.724 4076 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/12/25-11:23:07.727 4076 Recovering log #3.2024/12/25-11:23:07.729 4076 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Visited Links

Download File

Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.008898238653846898
Encrypted:	false
SSDEEP:	3:ImtVnM1xVlt/rt/l3Sxdlt4dV1gt/lop:IiV0xlzaxdX4m1lo
MD5:	3B8BF2F369CA7ABDF0636EE15DDEF161
SHA1:	4B82D483B79B555C62AA17F31F24F43C38F2C80F
SHA-256:	100201408FDCFA835C8699C6C2FCE748C5C3844C386053F9AA7CAD622373BFCA
SHA-512:	457D92EA15FA528E7BE3ED8136A267BD08A4D7866FDD7C353CFEB898F896983B40BB48156DC25D5E00EC118C6309337F3A9344226D1635F94D7F4A122D3DD87E
Malicious:	false
Preview:	VLnk.....?......LhXJ ...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ConnectorIcons\icon-241225162305Z-270.bmp

Download File

Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
File Type:	PC bitmap, Windows 3.x format, 107 x -152 x 32, cbSize 65110, bits offset 54
Category:	dropped
Size (bytes):	65110
Entropy (8bit):	1.3323487663569655
Encrypted:	false
SSDEEP:	96:EA/2SxICG/fi6vB/2TxVCG/di6vB/2TxVCG/di6vB/2TxVCG/di6vB/2TxVCG/dn:a2sZElTElTElTElTElTElTElTEll
MD5:	428B72B9BFDB6192E56742AABD9F9639
SHA1:	BB66319303FCC7139F072BDA29268AC76645744B
SHA-256:	27E97FA50AB918372CE9A9D910F38B3F65ED3E13EB45CA2FD41E3202B8C6A499
SHA-512:	B14AE9EB0A304510B5C192F4B4DED451B9238800C62BD370E4947CD737D510157FBB1EB183E515B7D129AD75C4E6593DA6A51A52DC01DBC6F7B404C77CC6850D
Malicious:	false
Preview:	BMV.......6...(...k...h..... ...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ConnectorIcons\icon-241225162305Z-273.bmp

Download File

Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
File Type:	PC bitmap, Windows 3.x format, 107 x -152 x 32, cbSize 65110, bits offset 54
Category:	dropped
Size (bytes):	65110
Entropy (8bit):	1.3323487663569655
Encrypted:	false
SSDEEP:	96:EA/2SxICG/fi6vB/2TxVCG/di6vB/2TxVCG/di6vB/2TxVCG/di6vB/2TxVCG/dn:a2sZElTElTElTElTElTElTElTEll
MD5:	428B72B9BFDB6192E56742AABD9F9639
SHA1:	BB66319303FCC7139F072BDA29268AC76645744B
SHA-256:	27E97FA50AB918372CE9A9D910F38B3F65ED3E13EB45CA2FD41E3202B8C6A499
SHA-512:	B14AE9EB0A304510B5C192F4B4DED451B9238800C62BD370E4947CD737D510157FBB1EB183E515B7D129AD75C4E6593DA6A51A52DC01DBC6F7B404C77CC6850D
Malicious:	false
Preview:	BMV.......6...(...k...h..... ...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache.bin

Download File

Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
File Type:	data
Category:	dropped
Size (bytes):	72643
Entropy (8bit):	5.393779678652009
Encrypted:	false
SSDEEP:	768:PCbTjMYOpdyVFWqnPvBRSiRkTIVzY3BC2U5KYDWXUHYyu:AlOpdyVFWcPvBBRkTIdY3qeUHK
MD5:	C3A4BBBE00F7179CE1D39073F1E1EE79
SHA1:	7433B3FF06E6526AE45A32FC56D686C8151466A5
SHA-256:	220BE321F3786316CA2B2DDB64CBD53A8F40A281E5888BCBCEF5FB6CA6076163
SHA-512:	57E9D8D3642893BE538FDE60EAD48A864EF71A7BB3B685B9572EBFBB72BA7AE29BF099D88FEEB6E172374490021A7FA31A0E2D6E1867FBF33F9C8A27AB674971
Malicious:	false
Preview:	4.458.88.FID.2:o:........:F:AgencyFB-Reg.P:Agency FB.L:$.........................."F:Agency FB.#.94.FID.2:o:........:F:AgencyFB-Bold.P:Agency FB Bold.L:%.........................."F:Agency FB.#.82.FID.2:o:........:F:Algerian.P:Algerian.L:$..........................RF:Algerian.#.85.FID.2:o:........:F:Aparajita.P:Aparajita.L:&.........................."F:Aparajita.#.99.FID.2:o:........:F:Aparajita-Italic.P:Aparajita Italic.L:&.........................."F:Aparajita.#.95.FID.2:o:........:F:Aparajita-Bold.P:Aparajita Bold.L:&.........................."F:Aparajita.#.108.FID.2:o:........:F:Aparajita-BoldItalic.P:Aparajita Bold Italic.L:&.........................."F:Aparajita.#.93.FID.2:o:........:F:ArialNarrow.P:Arial Narrow.L:$.........................."F:Arial Narrow.#.75.FID.2:o:........:F:ArialMT.P:Arial.L:$.........................."F:Arial.#.89.FID.2:o:........:F:Arial-ItalicMT.P:Arial Italic.L:$.........................."F:Arial.#.85.FID.2:o:........:F:Arial-BoldMT.P:Arial Bold.L:$....

C:\Users\user\AppData\Local\Temp\doc.pdf

Download File

Process:	C:\Users\user\Desktop\0442.pdf.exe
File Type:	PDF document, version 1.7, 6 pages
Category:	dropped
Size (bytes):	85137
Entropy (8bit):	7.7513343990244366
Encrypted:	false
SSDEEP:	1536:eyetDLuxUTpyWbzUGW7EmvP95imdqYKq6i97idLfnk:eyetMk1tCPfimdsq6ididL8
MD5:	17A9D7D59ED8076A38B9E48533A01A10
SHA1:	1EC63D0BECCCBCE15277A3C227E787131C1E8F74
SHA-256:	631C4D8C4D0DE76F18712484358E532BE32F2FA2F92D7FAB026406C346ACBCDA
SHA-512:	E3C8AD153864482AC0BDE7445DAFFF1DAC9DCBC48D83C99169388C2EEE832EDDB02B4A2553F60D81E93674F76880544F4C10F05098830E7931518D14DF1DCFED
Malicious:	false
Preview:	%PDF-1.7..%......1 0 obj..<</Type/Catalog/Pages 2 0 R/Lang(ru) /StructTreeRoot 37 0 R/MarkInfo<</Marked true>>/Metadata 351 0 R/ViewerPreferences 352 0 R>>..endobj..2 0 obj..<</Type/Pages/Count 6/Kids[ 3 0 R 26 0 R 28 0 R 30 0 R 32 0 R 34 0 R] >>..endobj..3 0 obj..<</Type/Page/Parent 2 0 R/Resources<</Font<</F1 5 0 R/F2 12 0 R/F3 14 0 R/F4 19 0 R/F5 24 0 R>>/ExtGState<</GS10 10 0 R/GS11 11 0 R>>/ProcSet[/PDF/Text/ImageB/ImageC/ImageI] >>/MediaBox[ 0 0 595.32 841.92] /Contents 4 0 R/Group<</Type/Group/S/Transparency/CS/DeviceRGB>>/Tabs/S/StructParents 0>>..endobj..4 0 obj..<</Filter/FlateDecode/Length 1237>>..stream..x..Ko.6.....w.1)`...C.....Z4...r.z.!..F....J...).+.`.k...>....o4....._........V..<>.7_..>.=.T.6....h3...A.e+..U`...o_..O?.......{P....m..>m..`5..g......{w.F=......!L.w.....6.iLK.._..O.]...a.S..F...I....~.x.nL......}.;J\|..>....d..L.....=...QB[.4p^[..t.dB...!.=.......v...]h.0F.......C....5&B....Yoz.n....c[W<........'. .1.9?...m.).hG.)!Zm...:..K(I.d...\..s..%.

C:\Users\user\AppData\Local\Temp\doc2.pdf

Download File

Process:	C:\Users\user\Desktop\0442.pdf.exe
File Type:	PDF document, version 1.7, 6 pages
Category:	dropped
Size (bytes):	85137
Entropy (8bit):	7.7513343990244366
Encrypted:	false
SSDEEP:	1536:eyetDLuxUTpyWbzUGW7EmvP95imdqYKq6i97idLfnk:eyetMk1tCPfimdsq6ididL8
MD5:	17A9D7D59ED8076A38B9E48533A01A10
SHA1:	1EC63D0BECCCBCE15277A3C227E787131C1E8F74
SHA-256:	631C4D8C4D0DE76F18712484358E532BE32F2FA2F92D7FAB026406C346ACBCDA
SHA-512:	E3C8AD153864482AC0BDE7445DAFFF1DAC9DCBC48D83C99169388C2EEE832EDDB02B4A2553F60D81E93674F76880544F4C10F05098830E7931518D14DF1DCFED
Malicious:	false
Preview:	%PDF-1.7..%......1 0 obj..<</Type/Catalog/Pages 2 0 R/Lang(ru) /StructTreeRoot 37 0 R/MarkInfo<</Marked true>>/Metadata 351 0 R/ViewerPreferences 352 0 R>>..endobj..2 0 obj..<</Type/Pages/Count 6/Kids[ 3 0 R 26 0 R 28 0 R 30 0 R 32 0 R 34 0 R] >>..endobj..3 0 obj..<</Type/Page/Parent 2 0 R/Resources<</Font<</F1 5 0 R/F2 12 0 R/F3 14 0 R/F4 19 0 R/F5 24 0 R>>/ExtGState<</GS10 10 0 R/GS11 11 0 R>>/ProcSet[/PDF/Text/ImageB/ImageC/ImageI] >>/MediaBox[ 0 0 595.32 841.92] /Contents 4 0 R/Group<</Type/Group/S/Transparency/CS/DeviceRGB>>/Tabs/S/StructParents 0>>..endobj..4 0 obj..<</Filter/FlateDecode/Length 1237>>..stream..x..Ko.6.....w.1)`...C.....Z4...r.z.!..F....J...).+.`.k...>....o4....._........V..<>.7_..>.=.T.6....h3...A.e+..U`...o_..O?.......{P....m..>m..`5..g......{w.F=......!L.w.....6.iLK.._..O.]...a.S..F...I....~.x.nL......}.;J\|..>....d..L.....=...QB[.4p^[..t.dB...!.=.......v...]h.0F.......C....5&B....Yoz.n....c[W<........'. .1.9?...m.).hG.)!Zm...:..K(I.d...\..s..%.

C:\Users\user\AppData\Local\Temp\ms.msi

Download File

Process:	C:\Users\user\Desktop\0442.pdf.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Number of Characters: 0, Last Saved By: InstallShield, Number of Words: 0, Title: LiteManager - Server 5.0 installation package, Comments: This installer contains the logic and data to install LiteManager Pro - Server 5.0, Keywords: Installer,MSI,Database, Subject: LiteManager Pro - Server, Author: LiteManagerTeam, Security: 1, Number of Pages: 200, Name of Creating Application: InstallShield 2015 - Premier Edition with Virtualization Pack 22, Last Saved Time/Date: Thu Aug 22 15:43:08 2024, Create Time/Date: Thu Aug 22 15:43:08 2024, Last Printed: Thu Aug 22 15:43:08 2024, Revision Number: {9EF586E9-112B-4AAE-B439-5B62B7A0B1DE}, Code page: 0, Template: Intel;0,1033,1049
Category:	dropped
Size (bytes):	11553792
Entropy (8bit):	7.938196666665725
Encrypted:	false
SSDEEP:	196608:cJg0ov2gTGOk/J1yr/A9ODMlWyFISx8/191nYHiT88o8En03yEoH8WkJDFa:CRJoLA9OIlWy58/19J+iYNPEoHg0
MD5:	B02F581793BE146506FACC3C6AEEBC32
SHA1:	DB1CB3BD3744C77E6E3253CF4480E177A358669A
SHA-256:	1666B1C2AE1AF47B252ABBC69C80281F81A7EA979F1D784FADC19ED6FEEC59F0
SHA-512:	8113F897F5936F6393746635D2BEDCEB410DBD1F825DF28C65D96EC3390509755E63E01C5311EC0A78B2FF48579D634C5D77CED80FBA01B68D2E9A08223B8E0A
Malicious:	false
Preview:	......................>...................................8........6..................}.................................................................................................................................................................................................................................................... ... ...!...!..."..."...#...#...$...$...%...%...&...&...'...'...(...(...)...).........+...+...,...,...-...-.........../.../...0...0...1...1...2...2...3...3...4...4...5...5...6..........<................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...@...M...:...;...=...........?...N...A...B...C...D...E...F...G...H...I...J...O...L...N...D.......P...Q...R...S...T...Z...V...W...X...Y....X..[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Users\user\AppData\Local\Temp\start.bat

Download File

Process:	C:\Users\user\Desktop\0442.pdf.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	130
Entropy (8bit):	4.924404357134264
Encrypted:	false
SSDEEP:	3:mKDb2nppLJTXZkRErG+fyM1K/RFofD6ANntch9wQn:hb4ZGaH1MUmy2Nn
MD5:	AA3AAB4A5BCA1D06B08C6F5D6362A5D0
SHA1:	486D423A2B689CC119CE95DFCDC018C7B552FA24
SHA-256:	A0A569883E851B4B965088F9ED9F9FBA80803B47AC6E6DD4B07DF60435184CD4
SHA-512:	2B5F84DFB399F313D11A8BFA2F3F3338CF69711D5C7B6D86E7F876C8B64DB3A664D1E3E4A4A4B0066A6949DE4E64CBA416A40BE56461556F9216EE82DE23D913
Malicious:	false
Preview:	@echo of..ping 8.8.8.8..cls..del "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LiteManager Pro - Server\." /q..cls..exit

C:\Users\user\AppData\Local\Temp\~DF1F77E57C4E4D43B6.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.06712149920142403
Encrypted:	false
SSDEEP:	6:2/9LG7iVCnLG7iVrKOzPLHKO0AbuJ2vWEJWM1AVky6lO:2F0i8n0itFzDHFfbe2vtJWuO
MD5:	0E8B611CF5EFD5D7F4C345B5C4E1443E
SHA1:	88A30155409C7EF376FB080774D617FCD51EEB6B
SHA-256:	1DDAF54603271883C75BDB3FB0D5D7FA324500D3ECC46649D583F73FE82FBB4D
SHA-512:	6AF62D7F4423FD2635320D0E94D40F31502581BF4CE800729F8040E6A962D4E178DDA94B8C10499FAF03C37BF914598A14B1539FD2A18B83A90958235CA131EE
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF31D61F4FC490F708.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF8EE21DF2DAFBD844.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	0.2220730764556764
Encrypted:	false
SSDEEP:	48:PHMmFSBulOd5YpRXd5YNd5YGd5YMd5YmmSvOd5YpRXd5YNd5YGd5YMd5YP6Ad5Yk:PH1FqO0Wlfxm0WlfPui
MD5:	1FA9734C1404D40F0697E565253A1BEA
SHA1:	76A3618B54267801C9A1A697F83318364882E643
SHA-256:	57DE8D1F5DE8A48AE8EC8D9E935E633A131F2382B1ABAAF58B4E1329A87B7FE5
SHA-512:	CB44C25D302C2CB86171A72771092D00EB27C5E1AC5B775C998CA6BCE7C66E2EF78EBBDEB9D1EE128B4296E8F834701F71CF0F608B537FFBFF9C4AF19740A7D5
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\49c0c0.msi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Number of Characters: 0, Last Saved By: InstallShield, Number of Words: 0, Title: LiteManager - Server 5.0 installation package, Comments: This installer contains the logic and data to install LiteManager Pro - Server 5.0, Keywords: Installer,MSI,Database, Subject: LiteManager Pro - Server, Author: LiteManagerTeam, Security: 1, Number of Pages: 200, Name of Creating Application: InstallShield 2015 - Premier Edition with Virtualization Pack 22, Last Saved Time/Date: Thu Aug 22 15:43:08 2024, Create Time/Date: Thu Aug 22 15:43:08 2024, Last Printed: Thu Aug 22 15:43:08 2024, Revision Number: {9EF586E9-112B-4AAE-B439-5B62B7A0B1DE}, Code page: 0, Template: Intel;0,1033,1049
Category:	dropped
Size (bytes):	11553792
Entropy (8bit):	7.938196666665725
Encrypted:	false
SSDEEP:	196608:cJg0ov2gTGOk/J1yr/A9ODMlWyFISx8/191nYHiT88o8En03yEoH8WkJDFa:CRJoLA9OIlWy58/19J+iYNPEoHg0
MD5:	B02F581793BE146506FACC3C6AEEBC32
SHA1:	DB1CB3BD3744C77E6E3253CF4480E177A358669A
SHA-256:	1666B1C2AE1AF47B252ABBC69C80281F81A7EA979F1D784FADC19ED6FEEC59F0
SHA-512:	8113F897F5936F6393746635D2BEDCEB410DBD1F825DF28C65D96EC3390509755E63E01C5311EC0A78B2FF48579D634C5D77CED80FBA01B68D2E9A08223B8E0A
Malicious:	false
Preview:	......................>...................................8........6..................}.................................................................................................................................................................................................................................................... ... ...!...!..."..."...#...#...$...$...%...%...&...&...'...'...(...(...)...).........+...+...,...,...-...-.........../.../...0...0...1...1...2...2...3...3...4...4...5...5...6..........<................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...@...M...:...;...=...........?...N...A...B...C...D...E...F...G...H...I...J...O...L...N...D.......P...Q...R...S...T...Z...V...W...X...Y....X..[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Windows\Installer\49c0c2.ipi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.8139758201669216
Encrypted:	false
SSDEEP:	48:X0scDH3luGcrmSvOd5YpRXd5YNd5YGd5YMd5YP6Ad5Y4EYSBulOd5YpRXd5YNd5j:XBpNKm0WlfPuKqO0WlfIp/
MD5:	7D995251A9BE72BB3C1BFB6FF6651290
SHA1:	9F322C68B32741DD745B2EBD76BDCA3B79C47CE8
SHA-256:	3BBC6FDEE73659D25524A486ACCAE5467177F9287F08D94771C898341C84CACE
SHA-512:	04FCE2400022D140FDD5058059045B859D7ABD7C3502535C3FE1C6141DD14C54B6C6FA4AF7B879784F221DFD77DF00DA35ED50C74B1F2E7BA69FBB01C0EEEF8E
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\49c0c4.msi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Number of Characters: 0, Last Saved By: InstallShield, Number of Words: 0, Title: LiteManager - Server 5.0 installation package, Comments: This installer contains the logic and data to install LiteManager Pro - Server 5.0, Keywords: Installer,MSI,Database, Subject: LiteManager Pro - Server, Author: LiteManagerTeam, Security: 1, Number of Pages: 200, Name of Creating Application: InstallShield 2015 - Premier Edition with Virtualization Pack 22, Last Saved Time/Date: Thu Aug 22 15:43:08 2024, Create Time/Date: Thu Aug 22 15:43:08 2024, Last Printed: Thu Aug 22 15:43:08 2024, Revision Number: {9EF586E9-112B-4AAE-B439-5B62B7A0B1DE}, Code page: 0, Template: Intel;0,1033,1049
Category:	dropped
Size (bytes):	11553792
Entropy (8bit):	7.938196666665725
Encrypted:	false
SSDEEP:	196608:cJg0ov2gTGOk/J1yr/A9ODMlWyFISx8/191nYHiT88o8En03yEoH8WkJDFa:CRJoLA9OIlWy58/19J+iYNPEoHg0
MD5:	B02F581793BE146506FACC3C6AEEBC32
SHA1:	DB1CB3BD3744C77E6E3253CF4480E177A358669A
SHA-256:	1666B1C2AE1AF47B252ABBC69C80281F81A7EA979F1D784FADC19ED6FEEC59F0
SHA-512:	8113F897F5936F6393746635D2BEDCEB410DBD1F825DF28C65D96EC3390509755E63E01C5311EC0A78B2FF48579D634C5D77CED80FBA01B68D2E9A08223B8E0A
Malicious:	false
Preview:	......................>...................................8........6..................}.................................................................................................................................................................................................................................................... ... ...!...!..."..."...#...#...$...$...%...%...&...&...'...'...(...(...)...).........+...+...,...,...-...-.........../.../...0...0...1...1...2...2...3...3...4...4...5...5...6..........<................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...@...M...:...;...=...........?...N...A...B...C...D...E...F...G...H...I...J...O...L...N...D.......P...Q...R...S...T...Z...V...W...X...Y....X..[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Windows\Installer\MSIC938.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	292998
Entropy (8bit):	4.840220453174735
Encrypted:	false
SSDEEP:	3072:phoy2KjcC2jcmFDX/vjcJGUjcmFDX/rjcmFDX/dZ+cNbynfj:phoy25DXmNDXLDXX+cNbynfj
MD5:	8CD85D295986B36C6A81191550181A74
SHA1:	A929626495DE327618C96F5221E9CB91DB133FAE
SHA-256:	7733FDA412E2AFA9670C9349E5E55D89F795B76D6717C41673C9030023AACFAA
SHA-512:	2544875B7965B2E30993795CA73F02545FD86D91C166B4537C4A6BF8639405119B2A259D59C80F38C1980C349C15992870372922A3077185741FE8B5B5324531
Malicious:	false
Preview:	...@IXOS.@.....@.Z.Y.@.....@.....@.....@.....@.....@......&.{71FFA475-24D5-44FB-A51F-39B699E3D82C}..LiteManager Pro - Server..ms.msi.@.....@.....@.....@......ARPPRODUCTICON.exe..&.{9EF586E9-112B-4AAE-B439-5B62B7A0B1DE}.....@.....@.....@.....@.......@.....@.....@.......@......LiteManager Pro - Server......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration...@.....@.....@.]....&.{3244CDE6-6414-4399-B0D5-424562747210}0.C:\Program Files (x86)\LiteManager Pro - Server\.@.......@.....@.....@......&.{4D4D18AA-F74D-4291-B5A9-93C3CC48B75F}5.C:\Program Files (x86)\LiteManager Pro - Server\Lang\.@.......@.....@.....@......&.{641F154A-FEEF-4FA7-B5BF-414DB1DB8390}C.C:\Program Files (x86)\LiteManager Pro - Server\files\ROMViewer.exe.@.......@.....@.....@......&.{26EAB54E-4659-47E8-86F9-4CB74F7E03BE}0.C:\Program Files (x86)\LiteManager Pro - Server\.@.......@.....@.....@......&.{596F4636-5D51-49F

C:\Windows\Installer\SourceHash{71FFA475-24D5-44FB-A51F-39B699E3D82C}

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.160503860746486
Encrypted:	false
SSDEEP:	12:JSbX72FjtaAGiLIlHVRpBh/7777777777777777777777777vDHFfbe2vtJW4pOz:J6QI5V9dviGF
MD5:	C2CB671F6DA1ED5A6939E911C74C9FD0
SHA1:	D62270414E49797C17F16CC0AF932A9851DDD006
SHA-256:	14F02542AB93EB638DC66D7AAF4A11267E0738816C646EB408AC090A6E350D49
SHA-512:	A20CB814E1124166346A5EA648DE9F8AC3B86AB74C87E2FB376310C4EE92A861E1B95046AB9DB46352E1C79A1324CF534D0D57645282A5C5F2EAA3C2FF56F246
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\ARPPRODUCTICON.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	53248
Entropy (8bit):	4.351781833522881
Encrypted:	false
SSDEEP:	384:AvFMAyDNOdTdFCxfrwntajXjDWLi9Y+C5vy/Q1nDcZUNeLNek+vDFNe+TNy:+MAyYdTmPJbgqcnDcCNy
MD5:	CA680899D9330BEB85E6351E6DC0D27B
SHA1:	41E89E582F58FB2A4ED06FA3BF796A1DAAC5CB6C
SHA-256:	EAB5DC45781E92CD5CF953016757B1E6F2ED7A0B5A97CC0945B19A8FBC1A85F2
SHA-512:	3817BD6EC345F96631E6CBF6C8DD384ACB17D912B1EC69D959F3AA15C05226D5FE3B5E9807D42D0E63589AABCEADFBE8BD5F293D8069DF689D12498E05842286
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............C...C...C...C...CD..C...C...C...C=..C...C...C...C...C...CRich...C........................PE..L...J&uU.................@...................P....@.........................................................................4T..(........0...........................................................................P...............................text....5.......@.................. ..`.rdata.......P.......P..............@..@.data....)...`...0...`..............@....rsrc....0.......@..................@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\ROMServer.exe_9D09B2BC25A2414CBD848E2B75898676.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	57344
Entropy (8bit):	4.774504587732323
Encrypted:	false
SSDEEP:	768:SMAyYdTmPJbgqcnDcZTw0gpEeO4tZZz+0pQTk/N0:S1U81cmpjDX/N0
MD5:	5EBCB54B76FBE24FFF9D3BD74E274234
SHA1:	6CD72F044F36B7A3A79B7D77AAE59F274A66CE95
SHA-256:	504AEB909BBA186D4298AA97DCD6A09CCDD42217AF1F6210BC5EBD23B3DFCCBF
SHA-512:	5FF61D724B77B6EDC67D33B0F1EE1C3CB01F2A03251D0BE83FF10A80A99DBA08E3A0E0F985DEED6358E467B2E9B6A837E894513D1B5E68AF253C0BBDD68539D0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............C...C...C...C...CD..C...C...C...C=..C...C...C...C...C...CRich...C........................PE..L...J&uU.................@...................P....@.........................................................................4T..(.......xC...........................................................................P...............................text....5.......@.................. ..`.rdata.......P.......P..............@..@.data....)...`...0...`..............@....rsrc...xC.......P..................@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\UNINST_Uninstall_L_78AA5B6662514D94A847D6C603AF0895.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	4.31126714354722
Encrypted:	false
SSDEEP:	384:EvFMAyDNOdTdFCxfrwntajXjDWLi9Y+C5vy/Q1nDcZMwQE3vGYksuektm6yysZc8:SMAyYdTmPJbgqcnDcmwQE/RkHRRNS
MD5:	6A4AFFF2CD33613166B37A0DAB99BD41
SHA1:	FBC0F1696213B459D099A5809D79CFC01253880F
SHA-256:	53C1AE4962663E82D3AAC7C4A6CBE3D53E05D6948ADAE6391A2748396ACF98FE
SHA-512:	7B61D32E4AD38BC21E86559BFFA49A334CCB6184E595CB43F2D60A2A77C86B31D07B1A9D1F8FBE69E9AAD7E096952D765404BEBC494E73BD992642EB6B82E3A7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............C...C...C...C...CD..C...C...C...C=..C...C...C...C...C...CRich...C........................PE..L...J&uU.................@...p...............P....@.........................................................................4T..(........+...........................................................................P...............................text....5.......@.................. ..`.rdata.......P.......P..............@..@.data....)...`...0...`..............@....rsrc....+.......0..................@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\config_server_B6BD2967C67B44649764F06ADFFD6458.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	57344
Entropy (8bit):	4.774504587732323
Encrypted:	false
SSDEEP:	768:SMAyYdTmPJbgqcnDcZTw0gpEeO4tZZz+0pQTk/N0:S1U81cmpjDX/N0
MD5:	5EBCB54B76FBE24FFF9D3BD74E274234
SHA1:	6CD72F044F36B7A3A79B7D77AAE59F274A66CE95
SHA-256:	504AEB909BBA186D4298AA97DCD6A09CCDD42217AF1F6210BC5EBD23B3DFCCBF
SHA-512:	5FF61D724B77B6EDC67D33B0F1EE1C3CB01F2A03251D0BE83FF10A80A99DBA08E3A0E0F985DEED6358E467B2E9B6A837E894513D1B5E68AF253C0BBDD68539D0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............C...C...C...C...CD..C...C...C...C=..C...C...C...C...C...CRich...C........................PE..L...J&uU.................@...................P....@.........................................................................4T..(.......xC...........................................................................P...............................text....5.......@.................. ..`.rdata.......P.......P..............@..@.data....)...`...0...`..............@....rsrc...xC.......P..................@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\stop_server_51B516B87C64408FA3C56354EA2277C2.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	57344
Entropy (8bit):	4.774504587732323
Encrypted:	false
SSDEEP:	768:SMAyYdTmPJbgqcnDcZTw0gpEeO4tZZz+0pQTk/N0:S1U81cmpjDX/N0
MD5:	5EBCB54B76FBE24FFF9D3BD74E274234
SHA1:	6CD72F044F36B7A3A79B7D77AAE59F274A66CE95
SHA-256:	504AEB909BBA186D4298AA97DCD6A09CCDD42217AF1F6210BC5EBD23B3DFCCBF
SHA-512:	5FF61D724B77B6EDC67D33B0F1EE1C3CB01F2A03251D0BE83FF10A80A99DBA08E3A0E0F985DEED6358E467B2E9B6A837E894513D1B5E68AF253C0BBDD68539D0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............C...C...C...C...CD..C...C...C...C=..C...C...C...C...C...CRich...C........................PE..L...J&uU.................@...................P....@.........................................................................4T..(.......xC...........................................................................P...............................text....5.......@.................. ..`.rdata.......P.......P..............@..@.data....)...`...0...`..............@....rsrc...xC.......P..................@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\ROMwln.dll

Download File

Process:	C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	999944
Entropy (8bit):	6.626732213066839
Encrypted:	false
SSDEEP:	12288:SA9+TVJdg0YMgqAahyv0jKdTq4lrBhqSq/rt8VwGFrt:SRho0lgqA6yvnrBhq/rQDt
MD5:	ED32E23322D816C3FE2FC3D05972689E
SHA1:	5EEA702C9F2AC0A1AADAE25B09E7983DA8C82344
SHA-256:	7F33398B98E225F56CD287060BEFF6773ABB92404AFC21436B0A20124919FE05
SHA-512:	E505265DD9D88B3199EB0D4B7D8B81B2F4577FABD4271B3C286366F3C1A58479B4DC40CCB8F0045C7CD08FD8BF198029345EEF9D2D2407306B73E5957AD59EDF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...`.-\.................J...........X.......`....@.................................................................. ...................@...........0.......@.. O...................................................................................text...0?.......@.................. ..`.itext..8....P.......D.............. ..`.data....:...`...<...N..............@....bss.....]...............................idata..............................@....didata.............................@....edata....... ......................@..@.rdata..E....0......................@..@.reloc.. O...@...P..................@..B.rsrc....@.......@..................@..@.....................0..............@..@........................................................

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	7.988555676370944
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	0442.pdf.exe
File size:	11'409'543 bytes
MD5:	4f6b2b9ee57c50d6c505d0cdada4803e
SHA1:	ad7dee6f1f71c4fe6299170a160592f139390e12
SHA256:	62410e8399acf7834c74012783bde3fe9ff244e048141c4a96a65bec06895f37
SHA512:	43607bd5bd78dea051340a684ad3311172adc590e5ffcd8a7c576e3f6ddba7e13750bab2a957b4d9fdec0d68b67d5391e779ee625006d00b82a65ecfc62525ce
SSDEEP:	196608:rqwdhlYLDYm+q6yU4zpDKpuLkQ9aP8F5hidaKsv7kDXFd+bIYW2LJjIeTF:Nw3Yi6yU4zpDeuREkF5PlgP+0ijIeh
TLSH:	75B6334AF79008F8E0E6F67485778425E6723D4E1338A59F57A83A2B7E773118C36722
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......$.2.`.\.`.\.`.\..y..h.\..y....\..y..m.\.....b.\...X.r.\..._.j.\...Y.Y.\.i...i.\.i...b.\.i...g.\.`.].C.\...Y.R.\...\.a.\.....a.\

File Icon


Icon Hash:	0fd88dc89ea7861b

Static PE Info

General

Entrypoint:	0x140032ee0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x66409723 [Sun May 12 10:17:07 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	2
File Version Major:	5
File Version Minor:	2
Subsystem Version Major:	5
Subsystem Version Minor:	2
Import Hash:	b1c5b1beabd90d9fdabd1df0779ea832

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F71FC4F2E08h
dec eax
add esp, 28h
jmp 00007F71FC4F279Fh
int3
int3
dec eax
mov eax, esp
dec eax
mov dword ptr [eax+08h], ebx
dec eax
mov dword ptr [eax+10h], ebp
dec eax
mov dword ptr [eax+18h], esi
dec eax
mov dword ptr [eax+20h], edi
inc ecx
push esi
dec eax
sub esp, 20h
dec ebp
mov edx, dword ptr [ecx+38h]
dec eax
mov esi, edx
dec ebp
mov esi, eax
dec eax
mov ebp, ecx
dec ecx
mov edx, ecx
dec eax
mov ecx, esi
dec ecx
mov edi, ecx
inc ecx
mov ebx, dword ptr [edx]
dec eax
shl ebx, 04h
dec ecx
add ebx, edx
dec esp
lea eax, dword ptr [ebx+04h]
call 00007F71FC4F1C23h
mov eax, dword ptr [ebp+04h]
and al, 66h
neg al
mov eax, 00000001h
sbb edx, edx
neg edx
add edx, eax
test dword ptr [ebx+04h], edx
je 00007F71FC4F2933h
dec esp
mov ecx, edi
dec ebp
mov eax, esi
dec eax
mov edx, esi
dec eax
mov ecx, ebp
call 00007F71FC4F4947h
dec eax
mov ebx, dword ptr [esp+30h]
dec eax
mov ebp, dword ptr [esp+38h]
dec eax
mov esi, dword ptr [esp+40h]
dec eax
mov edi, dword ptr [esp+48h]
dec eax
add esp, 20h
inc ecx
pop esi
ret
int3
int3
int3
dec eax
sub esp, 48h
dec eax
lea ecx, dword ptr [esp+20h]
call 00007F71FC4E11B3h
dec eax
lea edx, dword ptr [00025747h]
dec eax
lea ecx, dword ptr [esp+20h]
call 00007F71FC4F3A02h
int3
jmp 00007F71FC4F9BE4h
int3
int3
int3
int3
int3
int3

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x597a0	0x34	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x597d4	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x70000	0x154f4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x6a000	0x306c	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x86000	0x970	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x536c0	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x53780	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x4b3f0	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x48000	0x508	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x588bc	0x120	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x4676e	0x46800	f06bb06e02377ae8b223122e53be35c2	False	0.5372340425531915	data	6.47079645411382	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x48000	0x128c4	0x12a00	2de06d4a6920a6911e64ff20000ea72f	False	0.4499003775167785	data	5.273999097784603	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x5b000	0xe75c	0x1a00	0dbdb901a7d477980097e42e511a94fb	False	0.28275240384615385	data	3.2571023907881185	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x6a000	0x306c	0x3200	b0ce0f057741ad2a4ef4717079fa34e9	False	0.483359375	data	5.501810413666288	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.didat	0x6e000	0x360	0x400	1fcc7b1d7a02443319f8fcc2be4ca936	False	0.2578125	data	3.0459938492946015	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
_RDATA	0x6f000	0x15c	0x200	3f331ec50f09ba861beaf955b33712d5	False	0.408203125	data	3.3356393424384843	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x70000	0x154f4	0x15600	830fe0401acd1728e669a91fa1858e36	False	0.2520559210526316	data	4.6583703321340835	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x86000	0x970	0xa00	77a9ddfc47a5650d6eebbcc823e39532	False	0.52421875	data	5.336289720085303	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
PNG	0x70554	0xb45	PNG image data, 93 x 302, 8-bit/color RGB, non-interlaced	English	United States	1.0027729636048528
PNG	0x7109c	0x15a9	PNG image data, 186 x 604, 8-bit/color RGB, non-interlaced	English	United States	0.9363390441839495
RT_ICON	0x72648	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 60472 x 60472 px/m			0.14468236129184905
RT_DIALOG	0x82e70	0x286	data	English	United States	0.5092879256965944
RT_DIALOG	0x830f8	0x13a	data	English	United States	0.60828025477707
RT_DIALOG	0x83234	0xec	data	English	United States	0.6991525423728814
RT_DIALOG	0x83320	0x12e	data	English	United States	0.5927152317880795
RT_DIALOG	0x83450	0x338	data	English	United States	0.45145631067961167
RT_DIALOG	0x83788	0x252	data	English	United States	0.5757575757575758
RT_STRING	0x839dc	0x1e2	data	English	United States	0.3900414937759336
RT_STRING	0x83bc0	0x1cc	data	English	United States	0.4282608695652174
RT_STRING	0x83d8c	0x1b8	data	English	United States	0.45681818181818185
RT_STRING	0x83f44	0x146	data	English	United States	0.5153374233128835
RT_STRING	0x8408c	0x46c	data	English	United States	0.3454063604240283
RT_STRING	0x844f8	0x166	data	English	United States	0.49162011173184356
RT_STRING	0x84660	0x152	data	English	United States	0.5059171597633136
RT_STRING	0x847b4	0x10a	data	English	United States	0.49624060150375937
RT_STRING	0x848c0	0xbc	data	English	United States	0.6329787234042553
RT_STRING	0x8497c	0x1c0	data	English	United States	0.5178571428571429
RT_STRING	0x84b3c	0x250	data	English	United States	0.44256756756756754
RT_GROUP_ICON	0x84d8c	0x14	data			1.15
RT_MANIFEST	0x84da0	0x753	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.39786666666666665

Imports

DLL	Import
KERNEL32.dll	LocalFree, GetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, GetCurrentProcessId, CreateDirectoryW, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, GetVersionExW, GetModuleFileNameW, SetCurrentDirectoryW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, ExpandEnvironmentStringsW, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, GlobalMemoryStatusEx, LoadResource, SizeofResource, GetTimeFormatW, GetDateFormatW, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetNumberFormatW, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, GetOEMCP, IsValidCodePage, FindNextFileA, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, InitializeCriticalSectionAndSpinCount, WaitForSingleObjectEx, IsDebuggerPresent, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, RtlPcToFileHeader, RtlUnwindEx, EncodePointer, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, GetStringTypeW, HeapReAlloc, LCMapStringW, FindFirstFileExA
OLEAUT32.dll	SysAllocString, SysFreeString, VariantClear
gdiplus.dll	GdipCloneImage, GdipFree, GdipDisposeImage, GdipCreateBitmapFromStream, GdipCreateHBITMAPFromBitmap, GdiplusStartup, GdiplusShutdown, GdipAlloc

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 25, 2024 17:24:14.812747002 CET	49164	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:24:14.812880039 CET	49163	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:24:14.813553095 CET	49165	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:24:14.932512999 CET	80	49164	101.99.91.150	192.168.2.22
Dec 25, 2024 17:24:14.932527065 CET	5651	49163	101.99.91.150	192.168.2.22
Dec 25, 2024 17:24:14.932593107 CET	49163	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:24:14.932605028 CET	49164	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:24:14.933024883 CET	8080	49165	101.99.91.150	192.168.2.22
Dec 25, 2024 17:24:14.933115959 CET	49165	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:24:14.935239077 CET	49164	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:24:14.935251951 CET	49163	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:24:14.935251951 CET	49163	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:24:14.935281038 CET	49164	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:24:14.936204910 CET	49165	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:24:14.936204910 CET	49165	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:24:15.058480024 CET	80	49164	101.99.91.150	192.168.2.22
Dec 25, 2024 17:24:15.058499098 CET	5651	49163	101.99.91.150	192.168.2.22
Dec 25, 2024 17:24:15.058542013 CET	5651	49163	101.99.91.150	192.168.2.22
Dec 25, 2024 17:24:15.058549881 CET	80	49164	101.99.91.150	192.168.2.22
Dec 25, 2024 17:24:15.059341908 CET	8080	49165	101.99.91.150	192.168.2.22
Dec 25, 2024 17:24:15.059350014 CET	8080	49165	101.99.91.150	192.168.2.22
Dec 25, 2024 17:24:16.475804090 CET	5651	49163	101.99.91.150	192.168.2.22
Dec 25, 2024 17:24:16.478280067 CET	49163	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:24:16.478323936 CET	49163	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:24:16.478323936 CET	49163	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:24:16.478323936 CET	49163	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:24:16.599020004 CET	5651	49163	101.99.91.150	192.168.2.22
Dec 25, 2024 17:24:16.599353075 CET	5651	49163	101.99.91.150	192.168.2.22
Dec 25, 2024 17:24:16.599361897 CET	5651	49163	101.99.91.150	192.168.2.22
Dec 25, 2024 17:24:16.599400997 CET	5651	49163	101.99.91.150	192.168.2.22
Dec 25, 2024 17:24:17.130951881 CET	5651	49163	101.99.91.150	192.168.2.22
Dec 25, 2024 17:24:17.330307007 CET	49163	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:24:17.530478001 CET	8080	49165	101.99.91.150	192.168.2.22
Dec 25, 2024 17:24:17.531028032 CET	49165	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:24:17.531824112 CET	49165	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:24:17.532052040 CET	80	49164	101.99.91.150	192.168.2.22
Dec 25, 2024 17:24:17.532134056 CET	49164	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:24:17.534008980 CET	49164	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:24:17.652268887 CET	8080	49165	101.99.91.150	192.168.2.22
Dec 25, 2024 17:24:17.656179905 CET	80	49164	101.99.91.150	192.168.2.22
Dec 25, 2024 17:24:18.146233082 CET	5651	49163	101.99.91.150	192.168.2.22
Dec 25, 2024 17:24:18.347388029 CET	49163	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:24:19.162170887 CET	5651	49163	101.99.91.150	192.168.2.22
Dec 25, 2024 17:24:19.361433983 CET	49163	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:24:20.178141117 CET	5651	49163	101.99.91.150	192.168.2.22
Dec 25, 2024 17:24:20.377624035 CET	49163	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:24:21.193471909 CET	5651	49163	101.99.91.150	192.168.2.22
Dec 25, 2024 17:24:21.394553900 CET	49163	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:24:22.210428953 CET	5651	49163	101.99.91.150	192.168.2.22
Dec 25, 2024 17:24:22.485606909 CET	49163	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:24:23.224801064 CET	5651	49163	101.99.91.150	192.168.2.22
Dec 25, 2024 17:24:23.424685001 CET	49163	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:24:24.240367889 CET	5651	49163	101.99.91.150	192.168.2.22
Dec 25, 2024 17:24:24.443732023 CET	49163	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:24:25.256329060 CET	5651	49163	101.99.91.150	192.168.2.22
Dec 25, 2024 17:24:25.463794947 CET	49163	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:24:26.271733046 CET	5651	49163	101.99.91.150	192.168.2.22
Dec 25, 2024 17:24:26.470843077 CET	49163	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:24:27.287188053 CET	5651	49163	101.99.91.150	192.168.2.22
Dec 25, 2024 17:24:27.486921072 CET	49163	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:24:28.303212881 CET	5651	49163	101.99.91.150	192.168.2.22
Dec 25, 2024 17:24:28.502978086 CET	49163	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:24:29.318999052 CET	5651	49163	101.99.91.150	192.168.2.22
Dec 25, 2024 17:24:29.522125959 CET	49163	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:24:30.334167957 CET	5651	49163	101.99.91.150	192.168.2.22
Dec 25, 2024 17:24:30.535209894 CET	49163	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:24:31.349813938 CET	5651	49163	101.99.91.150	192.168.2.22
Dec 25, 2024 17:24:31.549148083 CET	49163	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:24:32.365381002 CET	5651	49163	101.99.91.150	192.168.2.22
Dec 25, 2024 17:24:32.566207886 CET	49163	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:24:33.380786896 CET	5651	49163	101.99.91.150	192.168.2.22
Dec 25, 2024 17:24:33.580271959 CET	49163	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:24:34.397006035 CET	5651	49163	101.99.91.150	192.168.2.22
Dec 25, 2024 17:24:34.602423906 CET	49163	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:24:35.411981106 CET	5651	49163	101.99.91.150	192.168.2.22
Dec 25, 2024 17:24:35.645385981 CET	49163	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:24:36.412336111 CET	5651	49163	101.99.91.150	192.168.2.22
Dec 25, 2024 17:24:36.615474939 CET	49163	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:24:37.427834034 CET	5651	49163	101.99.91.150	192.168.2.22
Dec 25, 2024 17:24:37.628503084 CET	49163	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:24:38.443511963 CET	5651	49163	101.99.91.150	192.168.2.22
Dec 25, 2024 17:24:38.643651962 CET	49163	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:24:39.458878040 CET	5651	49163	101.99.91.150	192.168.2.22
Dec 25, 2024 17:24:39.659616947 CET	49163	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:24:40.474632025 CET	5651	49163	101.99.91.150	192.168.2.22
Dec 25, 2024 17:24:40.675682068 CET	49163	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:24:41.490776062 CET	5651	49163	101.99.91.150	192.168.2.22
Dec 25, 2024 17:24:41.690742970 CET	49163	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:24:42.505928040 CET	5651	49163	101.99.91.150	192.168.2.22
Dec 25, 2024 17:24:42.705914974 CET	49163	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:24:43.521796942 CET	5651	49163	101.99.91.150	192.168.2.22
Dec 25, 2024 17:24:43.721858025 CET	49163	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:24:44.536938906 CET	5651	49163	101.99.91.150	192.168.2.22
Dec 25, 2024 17:24:44.736922979 CET	49163	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:24:45.552943945 CET	5651	49163	101.99.91.150	192.168.2.22
Dec 25, 2024 17:24:45.755989075 CET	49163	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:24:46.554375887 CET	5651	49163	101.99.91.150	192.168.2.22
Dec 25, 2024 17:24:46.756035089 CET	49163	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:24:47.568671942 CET	5651	49163	101.99.91.150	192.168.2.22
Dec 25, 2024 17:24:47.768095970 CET	49163	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:24:48.583584070 CET	5651	49163	101.99.91.150	192.168.2.22
Dec 25, 2024 17:24:48.783255100 CET	49163	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:24:49.584206104 CET	5651	49163	101.99.91.150	192.168.2.22
Dec 25, 2024 17:24:49.789213896 CET	49163	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:24:50.599713087 CET	5651	49163	101.99.91.150	192.168.2.22
Dec 25, 2024 17:24:50.799273014 CET	49163	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:24:51.615271091 CET	5651	49163	101.99.91.150	192.168.2.22
Dec 25, 2024 17:24:51.815345049 CET	49163	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:24:52.633574963 CET	5651	49163	101.99.91.150	192.168.2.22
Dec 25, 2024 17:24:52.833399057 CET	49163	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:24:53.648346901 CET	5651	49163	101.99.91.150	192.168.2.22
Dec 25, 2024 17:24:53.851457119 CET	49163	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:24:54.662065029 CET	5651	49163	101.99.91.150	192.168.2.22
Dec 25, 2024 17:24:54.861515045 CET	49163	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:24:55.667439938 CET	5651	49163	101.99.91.150	192.168.2.22
Dec 25, 2024 17:24:55.867580891 CET	49163	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:24:56.677489996 CET	5651	49163	101.99.91.150	192.168.2.22
Dec 25, 2024 17:24:56.876630068 CET	49163	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:24:57.693166018 CET	5651	49163	101.99.91.150	192.168.2.22
Dec 25, 2024 17:24:57.889698029 CET	49163	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:24:58.709026098 CET	5651	49163	101.99.91.150	192.168.2.22
Dec 25, 2024 17:24:58.908751965 CET	49163	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:24:59.724518061 CET	5651	49163	101.99.91.150	192.168.2.22
Dec 25, 2024 17:24:59.923820019 CET	49163	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:25:00.740268946 CET	5651	49163	101.99.91.150	192.168.2.22
Dec 25, 2024 17:25:00.939882994 CET	49163	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:25:01.755635023 CET	5651	49163	101.99.91.150	192.168.2.22
Dec 25, 2024 17:25:01.955952883 CET	49163	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:25:02.776933908 CET	5651	49163	101.99.91.150	192.168.2.22
Dec 25, 2024 17:25:02.977009058 CET	49163	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:25:03.786799908 CET	5651	49163	101.99.91.150	192.168.2.22
Dec 25, 2024 17:25:03.996069908 CET	49163	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:25:04.802628040 CET	5651	49163	101.99.91.150	192.168.2.22
Dec 25, 2024 17:25:05.002233028 CET	49163	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:25:05.859903097 CET	5651	49163	101.99.91.150	192.168.2.22
Dec 25, 2024 17:25:06.059170008 CET	49163	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:25:06.834022999 CET	5651	49163	101.99.91.150	192.168.2.22
Dec 25, 2024 17:25:07.034313917 CET	49163	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:25:07.849498987 CET	5651	49163	101.99.91.150	192.168.2.22
Dec 25, 2024 17:25:08.050287008 CET	49163	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:25:08.865230083 CET	5651	49163	101.99.91.150	192.168.2.22
Dec 25, 2024 17:25:09.064352036 CET	49163	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:25:09.880604982 CET	5651	49163	101.99.91.150	192.168.2.22
Dec 25, 2024 17:25:10.077409983 CET	49163	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:25:10.880913019 CET	5651	49163	101.99.91.150	192.168.2.22
Dec 25, 2024 17:25:11.080472946 CET	49163	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:25:11.896480083 CET	5651	49163	101.99.91.150	192.168.2.22
Dec 25, 2024 17:25:12.106532097 CET	49163	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:25:12.911940098 CET	5651	49163	101.99.91.150	192.168.2.22
Dec 25, 2024 17:25:13.111605883 CET	49163	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:25:13.928356886 CET	5651	49163	101.99.91.150	192.168.2.22
Dec 25, 2024 17:25:14.127640963 CET	49163	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:25:14.829646111 CET	49166	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:25:14.829804897 CET	49167	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:25:14.943515062 CET	5651	49163	101.99.91.150	192.168.2.22
Dec 25, 2024 17:25:14.949332952 CET	8080	49166	101.99.91.150	192.168.2.22
Dec 25, 2024 17:25:14.949342966 CET	80	49167	101.99.91.150	192.168.2.22
Dec 25, 2024 17:25:14.949408054 CET	49167	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:25:14.949410915 CET	49166	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:25:14.952739000 CET	49167	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:25:14.952752113 CET	49167	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:25:14.952768087 CET	49166	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:25:14.952827930 CET	49166	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:25:15.072577953 CET	80	49167	101.99.91.150	192.168.2.22
Dec 25, 2024 17:25:15.072587967 CET	80	49167	101.99.91.150	192.168.2.22
Dec 25, 2024 17:25:15.072597980 CET	8080	49166	101.99.91.150	192.168.2.22
Dec 25, 2024 17:25:15.072602034 CET	8080	49166	101.99.91.150	192.168.2.22
Dec 25, 2024 17:25:15.143699884 CET	49163	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:25:15.958981991 CET	5651	49163	101.99.91.150	192.168.2.22
Dec 25, 2024 17:25:16.159751892 CET	49163	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:25:16.962517023 CET	5651	49163	101.99.91.150	192.168.2.22
Dec 25, 2024 17:25:17.161820889 CET	49163	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:25:17.534373999 CET	80	49167	101.99.91.150	192.168.2.22
Dec 25, 2024 17:25:17.534444094 CET	49167	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:25:17.534506083 CET	49167	80	192.168.2.22	101.99.91.150
Dec 25, 2024 17:25:17.538110971 CET	8080	49166	101.99.91.150	192.168.2.22
Dec 25, 2024 17:25:17.538163900 CET	49166	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:25:17.538233042 CET	49166	8080	192.168.2.22	101.99.91.150
Dec 25, 2024 17:25:17.654059887 CET	80	49167	101.99.91.150	192.168.2.22
Dec 25, 2024 17:25:17.657751083 CET	8080	49166	101.99.91.150	192.168.2.22
Dec 25, 2024 17:25:17.974612951 CET	5651	49163	101.99.91.150	192.168.2.22
Dec 25, 2024 17:25:18.175874949 CET	49163	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:25:18.990590096 CET	5651	49163	101.99.91.150	192.168.2.22
Dec 25, 2024 17:25:19.191931963 CET	49163	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:25:19.990371943 CET	5651	49163	101.99.91.150	192.168.2.22
Dec 25, 2024 17:25:20.190141916 CET	49163	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:25:21.371395111 CET	5651	49163	101.99.91.150	192.168.2.22
Dec 25, 2024 17:25:21.540040016 CET	5651	49163	101.99.91.150	192.168.2.22
Dec 25, 2024 17:25:21.544071913 CET	49163	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:25:22.021528006 CET	5651	49163	101.99.91.150	192.168.2.22
Dec 25, 2024 17:25:22.223121881 CET	49163	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:25:23.036919117 CET	5651	49163	101.99.91.150	192.168.2.22
Dec 25, 2024 17:25:23.246179104 CET	49163	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:25:24.052686930 CET	5651	49163	101.99.91.150	192.168.2.22
Dec 25, 2024 17:25:24.334233046 CET	49163	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:25:25.068389893 CET	5651	49163	101.99.91.150	192.168.2.22
Dec 25, 2024 17:25:25.268295050 CET	49163	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:25:26.084290981 CET	5651	49163	101.99.91.150	192.168.2.22
Dec 25, 2024 17:25:26.284384966 CET	49163	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:25:27.219705105 CET	5651	49163	101.99.91.150	192.168.2.22
Dec 25, 2024 17:25:27.419419050 CET	49163	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:25:28.115374088 CET	5651	49163	101.99.91.150	192.168.2.22
Dec 25, 2024 17:25:28.314491034 CET	49163	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:25:29.130790949 CET	5651	49163	101.99.91.150	192.168.2.22
Dec 25, 2024 17:25:29.330645084 CET	49163	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:25:30.131376982 CET	5651	49163	101.99.91.150	192.168.2.22
Dec 25, 2024 17:25:30.331686020 CET	49163	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:25:31.146749020 CET	5651	49163	101.99.91.150	192.168.2.22
Dec 25, 2024 17:25:31.346652031 CET	49163	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:25:32.398966074 CET	5651	49163	101.99.91.150	192.168.2.22
Dec 25, 2024 17:25:32.598803997 CET	49163	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:25:32.704036951 CET	5651	49163	101.99.91.150	192.168.2.22
Dec 25, 2024 17:25:32.704191923 CET	49163	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:25:33.178080082 CET	5651	49163	101.99.91.150	192.168.2.22
Dec 25, 2024 17:25:33.377770901 CET	49163	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:25:34.193867922 CET	5651	49163	101.99.91.150	192.168.2.22
Dec 25, 2024 17:25:34.393826962 CET	49163	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:25:35.209358931 CET	5651	49163	101.99.91.150	192.168.2.22
Dec 25, 2024 17:25:35.411906958 CET	49163	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:25:36.224916935 CET	5651	49163	101.99.91.150	192.168.2.22
Dec 25, 2024 17:25:36.424956083 CET	49163	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:25:37.240309954 CET	5651	49163	101.99.91.150	192.168.2.22
Dec 25, 2024 17:25:37.445018053 CET	49163	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:25:38.257181883 CET	5651	49163	101.99.91.150	192.168.2.22
Dec 25, 2024 17:25:38.457082987 CET	49163	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:25:39.271898985 CET	5651	49163	101.99.91.150	192.168.2.22
Dec 25, 2024 17:25:39.471138000 CET	49163	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:25:40.287169933 CET	5651	49163	101.99.91.150	192.168.2.22
Dec 25, 2024 17:25:40.487240076 CET	49163	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:25:41.287236929 CET	5651	49163	101.99.91.150	192.168.2.22
Dec 25, 2024 17:25:41.487246990 CET	49163	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:25:42.303076029 CET	5651	49163	101.99.91.150	192.168.2.22
Dec 25, 2024 17:25:42.502329111 CET	49163	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:25:43.320437908 CET	5651	49163	101.99.91.150	192.168.2.22
Dec 25, 2024 17:25:43.520375013 CET	49163	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:25:44.333847046 CET	5651	49163	101.99.91.150	192.168.2.22
Dec 25, 2024 17:25:44.533457994 CET	49163	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:25:45.349474907 CET	5651	49163	101.99.91.150	192.168.2.22
Dec 25, 2024 17:25:45.550487041 CET	49163	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:25:46.349819899 CET	5651	49163	101.99.91.150	192.168.2.22
Dec 25, 2024 17:25:46.549561024 CET	49163	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:25:47.365839958 CET	5651	49163	101.99.91.150	192.168.2.22
Dec 25, 2024 17:25:47.567616940 CET	49163	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:25:48.370609045 CET	5651	49163	101.99.91.150	192.168.2.22
Dec 25, 2024 17:25:48.570780039 CET	49163	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:25:49.381155014 CET	5651	49163	101.99.91.150	192.168.2.22
Dec 25, 2024 17:25:49.580751896 CET	49163	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:25:50.397135973 CET	5651	49163	101.99.91.150	192.168.2.22
Dec 25, 2024 17:25:50.606796026 CET	49163	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:25:51.411868095 CET	5651	49163	101.99.91.150	192.168.2.22
Dec 25, 2024 17:25:51.611846924 CET	49163	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:25:52.427774906 CET	5651	49163	101.99.91.150	192.168.2.22
Dec 25, 2024 17:25:52.634896040 CET	49163	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:25:53.443561077 CET	5651	49163	101.99.91.150	192.168.2.22
Dec 25, 2024 17:25:53.642987013 CET	49163	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:25:54.460136890 CET	5651	49163	101.99.91.150	192.168.2.22
Dec 25, 2024 17:25:54.663011074 CET	49163	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:25:55.474802971 CET	5651	49163	101.99.91.150	192.168.2.22
Dec 25, 2024 17:25:55.697073936 CET	49163	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:25:56.490595102 CET	5651	49163	101.99.91.150	192.168.2.22
Dec 25, 2024 17:25:56.694139004 CET	49163	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:25:57.506372929 CET	5651	49163	101.99.91.150	192.168.2.22
Dec 25, 2024 17:25:57.706201077 CET	49163	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:25:58.521748066 CET	5651	49163	101.99.91.150	192.168.2.22
Dec 25, 2024 17:25:58.719263077 CET	49163	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:25:59.127388954 CET	5651	49163	101.99.91.150	192.168.2.22
Dec 25, 2024 17:25:59.128128052 CET	49163	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:25:59.537067890 CET	5651	49163	101.99.91.150	192.168.2.22
Dec 25, 2024 17:25:59.737299919 CET	49163	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:26:00.552686930 CET	5651	49163	101.99.91.150	192.168.2.22
Dec 25, 2024 17:26:00.752486944 CET	49163	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:26:01.568473101 CET	5651	49163	101.99.91.150	192.168.2.22
Dec 25, 2024 17:26:01.768446922 CET	49163	5651	192.168.2.22	101.99.91.150
Dec 25, 2024 17:26:02.583733082 CET	5651	49163	101.99.91.150	192.168.2.22
Dec 25, 2024 17:26:02.780493021 CET	49163	5651	192.168.2.22	101.99.91.150

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 25, 2024 17:23:04.511077881 CET	137	137	192.168.2.22	192.168.2.255
Dec 25, 2024 17:23:05.262696028 CET	137	137	192.168.2.22	192.168.2.255
Dec 25, 2024 17:23:06.027098894 CET	137	137	192.168.2.22	192.168.2.255
Dec 25, 2024 17:23:13.909090042 CET	137	137	192.168.2.22	192.168.2.255
Dec 25, 2024 17:23:14.658700943 CET	137	137	192.168.2.22	192.168.2.255
Dec 25, 2024 17:23:15.408747911 CET	137	137	192.168.2.22	192.168.2.255
Dec 25, 2024 17:23:22.900496960 CET	137	137	192.168.2.22	192.168.2.255
Dec 25, 2024 17:23:23.650216103 CET	137	137	192.168.2.22	192.168.2.255
Dec 25, 2024 17:23:24.400270939 CET	137	137	192.168.2.22	192.168.2.255
Dec 25, 2024 17:23:25.648719072 CET	137	137	192.168.2.22	192.168.2.255
Dec 25, 2024 17:23:26.398391962 CET	137	137	192.168.2.22	192.168.2.255
Dec 25, 2024 17:23:27.148534060 CET	137	137	192.168.2.22	192.168.2.255
Dec 25, 2024 17:24:42.238029003 CET	138	138	192.168.2.22	192.168.2.255

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Type
Dec 25, 2024 17:22:57.632667065 CET	192.168.2.22	8.8.8.8	4d5a	Echo
Dec 25, 2024 17:22:57.756275892 CET	8.8.8.8	192.168.2.22	555a	Echo Reply
Dec 25, 2024 17:22:58.698338985 CET	192.168.2.22	8.8.8.8	4d59	Echo
Dec 25, 2024 17:22:58.820831060 CET	8.8.8.8	192.168.2.22	5559	Echo Reply
Dec 25, 2024 17:22:59.740555048 CET	192.168.2.22	8.8.8.8	4d58	Echo
Dec 25, 2024 17:22:59.863132954 CET	8.8.8.8	192.168.2.22	5558	Echo Reply
Dec 25, 2024 17:23:00.844245911 CET	192.168.2.22	8.8.8.8	4d57	Echo
Dec 25, 2024 17:23:00.966800928 CET	8.8.8.8	192.168.2.22	5557	Echo Reply

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.22	49164	101.99.91.150	80	3580	C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe

Timestamp	Bytes transferred	Direction	Data
Dec 25, 2024 17:24:14.935239077 CET	6	OUT	Data Raw: 00 00 00 01 Data Ascii:
Dec 25, 2024 17:24:14.935281038 CET	6	OUT	Data Raw: 00 00 00 03 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.22	49167	101.99.91.150	80	3580	C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe

Timestamp	Bytes transferred	Direction	Data
Dec 25, 2024 17:25:14.952739000 CET	6	OUT	Data Raw: 00 00 00 01 Data Ascii:
Dec 25, 2024 17:25:14.952752113 CET	6	OUT	Data Raw: 00 00 00 03 Data Ascii:

Target ID:	0
Start time:	11:22:54
Start date:	25/12/2024
Path:	C:\Users\user\Desktop\0442.pdf.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\0442.pdf.exe"
Imagebase:	0x13ff50000
File size:	11'409'543 bytes
MD5 hash:	4F6B2B9EE57C50D6C505D0CDADA4803E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	11:22:55
Start date:	25/12/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ms.msi" /qn
Imagebase:	0xff3c0000
File size:	128'512 bytes
MD5 hash:	AC2E7152124CEED36846BD1B6592A00F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	11:22:56
Start date:	25/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\start.bat" "
Imagebase:	0x4ac30000
File size:	345'088 bytes
MD5 hash:	5746BD7E255DD6A8AFA06F7C42C1BA41
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	11:22:56
Start date:	25/12/2024
Path:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\user\AppData\Local\Temp\doc.pdf"
Imagebase:	0x80000
File size:	2'525'680 bytes
MD5 hash:	2F8D93826B8CBF9290BC57535C7A6817
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	11:22:56
Start date:	25/12/2024
Path:	C:\Windows\System32\PING.EXE
Wow64 process (32bit):	false
Commandline:	ping 8.8.8.8
Imagebase:	0xff950000
File size:	16'896 bytes
MD5 hash:	5FB30FE90736C7FC77DE637021B1CE7C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	11:22:56
Start date:	25/12/2024
Path:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\user\AppData\Local\Temp\doc2.pdf"
Imagebase:	0x80000
File size:	2'525'680 bytes
MD5 hash:	2F8D93826B8CBF9290BC57535C7A6817
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	11:22:56
Start date:	25/12/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\msiexec.exe /V
Imagebase:	0xff3c0000
File size:	128'512 bytes
MD5 hash:	AC2E7152124CEED36846BD1B6592A00F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	11:23:02
Start date:	25/12/2024
Path:	C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /server /siex /silentinstall
Imagebase:	0x400000
File size:	6'307'408 bytes
MD5 hash:	63D0964168B927D00064AA684E79A300
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000009.00000000.382903108.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe, Author: Joe Security
Antivirus matches:	Detection: 3%, ReversingLabs
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	11:23:02
Start date:	25/12/2024
Path:	C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe" /siex /silentinstall
Imagebase:	0x400000
File size:	7'753'808 bytes
MD5 hash:	F3D74B072B9697CF64B0B8445FDC8128
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 0000000A.00000000.383524670.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe, Author: Joe Security
Antivirus matches:	Detection: 8%, ReversingLabs
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	11:23:04
Start date:	25/12/2024
Path:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
Imagebase:	0x260000
File size:	9'805'808 bytes
MD5 hash:	326A645391A97C760B60C558A35BB068
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	13
Start time:	11:23:06
Start date:	25/12/2024
Path:	C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /server /firewall
Imagebase:	0x400000
File size:	6'307'408 bytes
MD5 hash:	63D0964168B927D00064AA684E79A300
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	11:23:06
Start date:	25/12/2024
Path:	C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe" /firewall
Imagebase:	0x400000
File size:	7'753'808 bytes
MD5 hash:	F3D74B072B9697CF64B0B8445FDC8128
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	11:23:11
Start date:	25/12/2024
Path:	C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /server /start
Imagebase:	0x400000
File size:	6'307'408 bytes
MD5 hash:	63D0964168B927D00064AA684E79A300
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	11:23:12
Start date:	25/12/2024
Path:	C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe" /start
Imagebase:	0x400000
File size:	7'753'808 bytes
MD5 hash:	F3D74B072B9697CF64B0B8445FDC8128
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	11:23:12
Start date:	25/12/2024
Path:	C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe"
Imagebase:	0x400000
File size:	7'753'808 bytes
MD5 hash:	F3D74B072B9697CF64B0B8445FDC8128
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Has exited:	false

Show Windows behavior

Target ID:	19
Start time:	11:23:14
Start date:	25/12/2024
Path:	C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe"
Imagebase:	0x400000
File size:	6'307'408 bytes
MD5 hash:	63D0964168B927D00064AA684E79A300
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Has exited:	false

Show Windows behavior

Target ID:	20
Start time:	11:23:15
Start date:	25/12/2024
Path:	C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /tray
Imagebase:	0x400000
File size:	6'307'408 bytes
MD5 hash:	63D0964168B927D00064AA684E79A300
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	12.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	27.5%
Total number of Nodes:	1503
Total number of Limit Nodes:	24

Executed Functions

Function 000000013FF7B190 Relevance: 123.9, APIs: 60, Strings: 10, Instructions: 1421windowfilesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 000000013FF5255C: GetDlgItem.USER32 ref: 000000013FF525AC
Part of subcall function 000000013FF5255C: SetWindowTextW.USER32 ref: 000000013FF525C8

EndDialog.USER32 ref: 000000013FF7B2D0
SetDlgItemTextW.USER32 ref: 000000013FF7B320
GetMessageW.USER32 ref: 000000013FF7B350
IsDialogMessageW.USER32 ref: 000000013FF7B369
TranslateMessage.USER32 ref: 000000013FF7B37B
DispatchMessageW.USER32 ref: 000000013FF7B389
EndDialog.USER32 ref: 000000013FF7B3D3
GetDlgItem.USER32 ref: 000000013FF7B410
SendMessageW.USER32 ref: 000000013FF7B431
SendMessageW.USER32 ref: 000000013FF7B449
SetFocus.USER32 ref: 000000013FF7B452
GetLastError.KERNEL32 ref: 000000013FF7B634
GetLastError.KERNEL32 ref: 000000013FF7B665
GetTickCount.KERNEL32 ref: 000000013FF7B68B
GetLastError.KERNEL32 ref: 000000013FF7B6F5
GetCommandLineW.KERNEL32 ref: 000000013FF7B841
CreateFileMappingW.KERNEL32 ref: 000000013FF7B900
MapViewOfFile.KERNEL32 ref: 000000013FF7B923
Sleep.KERNEL32 ref: 000000013FF7B9B6
UnmapViewOfFile.KERNEL32 ref: 000000013FF7B9DF
CloseHandle.KERNEL32 ref: 000000013FF7B9E8
SetDlgItemTextW.USER32 ref: 000000013FF7BCDE
DialogBoxParamW.USER32 ref: 000000013FF7C0D7
EndDialog.USER32 ref: 000000013FF7C0EF
EnableWindow.USER32 ref: 000000013FF7C2A6
SendMessageW.USER32 ref: 000000013FF7C2F8
ShellExecuteExW.SHELL32 ref: 000000013FF7B95B

Part of subcall function 000000013FF6AAE0: LoadStringW.USER32 ref: 000000013FF6AB67
Part of subcall function 000000013FF6AAE0: LoadStringW.USER32 ref: 000000013FF6AB80

SendMessageW.USER32 ref: 000000013FF7BEC3
SendDlgItemMessageW.USER32 ref: 000000013FF7BEEA
GetDlgItem.USER32 ref: 000000013FF7BEF8
SendMessageW.USER32 ref: 000000013FF7BF12
GetDlgItem.USER32 ref: 000000013FF7BF4F
SetDlgItemTextW.USER32 ref: 000000013FF7BFEC
SetDlgItemTextW.USER32 ref: 000000013FF7C004
SetDlgItemTextW.USER32 ref: 000000013FF7C321
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF7C363
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF7C369
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF7C36F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF7C375
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF7C37B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF7C381
SendDlgItemMessageW.USER32 ref: 000000013FF7C449
EndDialog.USER32 ref: 000000013FF7C463
GetDlgItem.USER32 ref: 000000013FF7C491
SetFocus.USER32 ref: 000000013FF7C49A
SendDlgItemMessageW.USER32 ref: 000000013FF7C53E
FindFirstFileW.KERNEL32 ref: 000000013FF7C562
FindClose.KERNEL32 ref: 000000013FF7C68A
SendDlgItemMessageW.USER32 ref: 000000013FF7C7AF

Part of subcall function 000000013FF5129C: Concurrency::cancel_current_task.LIBCPMT ref: 000000013FF51396

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF7CAA9
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF7CAAF
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF7CAB5
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF7CABB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF7CAC1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF7CAC7

Strings

REPLACEFILEDLG, xrefs: 000000013FF7C3D3
p, xrefs: 000000013FF7B7AB
__tmp_rar_sfx_access_check_, xrefs: 000000013FF7B6A9
STARTDLG, xrefs: 000000013FF7B1CA
-el -s2 "-d%s" "-sp%s", xrefs: 000000013FF7B799
winrarsfxmappingfile.tmp, xrefs: 000000013FF7B8E0
LICENSEDLG, xrefs: 000000013FF7C0C9
@, xrefs: 000000013FF7B7B6
%s %s, xrefs: 000000013FF7C6D9, 000000013FF7C946
runas, xrefs: 000000013FF7B7C9

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: Item$Message$_invalid_parameter_noinfo_noreturn$Send$DialogText$File$ErrorLast$CloseFindFocusLoadStringViewWindow$CommandConcurrency::cancel_current_taskCountCreateDispatchEnableExecuteFirstHandleLineMappingParamShellSleepTickTranslateUnmap
String ID: %s %s$-el -s2 "-d%s" "-sp%s"$@$LICENSEDLG$REPLACEFILEDLG$STARTDLG$__tmp_rar_sfx_access_check_$p$runas$winrarsfxmappingfile.tmp
API String ID: 255727823-2702805183
Opcode ID: 65fbecc059460ab6d6c133513960e294a00871cbfc95bde082d0ac4ee284240a
Instruction ID: 4c2bdaa4a0d053a9c2b07b2815e20e6ccbc3434d5eced6ebca9208880dc70881
Opcode Fuzzy Hash: 65fbecc059460ab6d6c133513960e294a00871cbfc95bde082d0ac4ee284240a
Instruction Fuzzy Hash: ACD28F73A0468581FB209B25E8543EAA369F7867D4F50423DDE4D577AAEF38CB4AC700

Function 000000013FF7CE88 Relevance: 65.0, APIs: 26, Strings: 10, Instructions: 1963windowfileCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 000000013FF7D5F3
SendMessageW.USER32 ref: 000000013FF7D626
SendMessageW.USER32 ref: 000000013FF7D655
MoveFileW.KERNEL32 ref: 000000013FF7DB4B
MoveFileExW.KERNEL32 ref: 000000013FF7DB69
GetTempPathW.KERNEL32 ref: 000000013FF7DC49

Part of subcall function 000000013FF51FA0: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF51FFB

EndDialog.USER32 ref: 000000013FF7DFCA
Concurrency::cancel_current_task.LIBCPMT ref: 000000013FF7EEE3
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF7EEEF
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF7EF07
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF7EF0D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF7EF13
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF7EF19
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF7EF1F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF7EF25
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF7EF2B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF7EF31
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF7EF37
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF7EF3D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF7EF43
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF7EF49
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF7EF4F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF7EF55
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF7EF5B
Concurrency::cancel_current_task.LIBCPMT ref: 000000013FF7EF67
Concurrency::cancel_current_task.LIBCPMT ref: 000000013FF7EF73

Strings

lnk, xrefs: 000000013FF7E3CA, 000000013FF7E3D9
@set:user, xrefs: 000000013FF7DD96, 000000013FF7DDA5
<br>, xrefs: 000000013FF7D6DA, 000000013FF7D6E9
MAX, xrefs: 000000013FF7EA82, 000000013FF7EA91
ProgramFilesDir, xrefs: 000000013FF7D4F0
MIN, xrefs: 000000013FF7EAE5, 000000013FF7EAF4
HIDE, xrefs: 000000013FF7E9E5, 000000013FF7E9F4
.tmp, xrefs: 000000013FF7DA85
Software\Microsoft\Windows\CurrentVersion, xrefs: 000000013FF7D501
.lnk, xrefs: 000000013FF7E406, 000000013FF7E415

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_task$FileMessageMoveSend$DialogItemPathTemp
String ID: .lnk$.tmp$<br>$@set:user$HIDE$MAX$MIN$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion$lnk
API String ID: 3007431893-3916287355
Opcode ID: e02ea11f63ca83b0232798bb7bc92859ef05eb5995c48a6c2f1b98aa57d00e7c
Instruction ID: 8ca0d947457a328bc1d53bf888adc71de7ccea23447eb9376dfa6de4a5f7b7f2
Opcode Fuzzy Hash: e02ea11f63ca83b0232798bb7bc92859ef05eb5995c48a6c2f1b98aa57d00e7c
Instruction Fuzzy Hash: 05137673B00B8089FB10DF64D8843DD67A9EB44798F90162ADE5D97AE9DF74C68AC340

Function 000000013FF80754 Relevance: 45.9, APIs: 21, Strings: 5, Instructions: 380
filesleeptimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000000013FF6DFD0: GetModuleHandleW.KERNEL32(?,?,?,00000000,?), ref: 000000013FF6E018
Part of subcall function 000000013FF6DFD0: GetProcAddress.KERNEL32(?,?,?,00000000,?), ref: 000000013FF6E030
Part of subcall function 000000013FF6DFD0: GetProcAddress.KERNEL32(?,?,?,00000000,?), ref: 000000013FF6E05D

Part of subcall function 000000013FF662DC: GetCurrentDirectoryW.KERNEL32 ref: 000000013FF662F2
Part of subcall function 000000013FF662DC: GetCurrentDirectoryW.KERNEL32 ref: 000000013FF6632C

Part of subcall function 000000013FF7946C: OleInitialize.OLE32 ref: 000000013FF79486
Part of subcall function 000000013FF7946C: SHGetMalloc.SHELL32 ref: 000000013FF794D4

GetCommandLineW.KERNEL32 ref: 000000013FF8096E
OpenFileMappingW.KERNEL32 ref: 000000013FF80A07
MapViewOfFile.KERNEL32 ref: 000000013FF80A30
UnmapViewOfFile.KERNEL32 ref: 000000013FF80A46
MapViewOfFile.KERNEL32 ref: 000000013FF80A63
UnmapViewOfFile.KERNEL32 ref: 000000013FF80ACA
CloseHandle.KERNEL32 ref: 000000013FF80AD3
SetEnvironmentVariableW.KERNEL32 ref: 000000013FF80BAD
GetLocalTime.KERNEL32 ref: 000000013FF80BB8
swprintf.LEGACY_STDIO_DEFINITIONS ref: 000000013FF80C13
SetEnvironmentVariableW.KERNEL32 ref: 000000013FF80C26
GetModuleHandleW.KERNEL32 ref: 000000013FF80C2E
LoadIconW.USER32 ref: 000000013FF80C4D
DialogBoxParamW.USER32 ref: 000000013FF80CB6
Sleep.KERNEL32 ref: 000000013FF80CE6
DeleteObject.GDI32 ref: 000000013FF80D0D
DeleteObject.GDI32 ref: 000000013FF80D1F
CloseHandle.KERNEL32 ref: 000000013FF80D67
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF80DD7
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF80DDD
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF80DE3

Part of subcall function 000000013FF7FD0C: SetEnvironmentVariableW.KERNEL32 ref: 000000013FF7FD43
Part of subcall function 000000013FF7FD0C: SetEnvironmentVariableW.KERNEL32 ref: 000000013FF7FDBC

Strings

STARTDLG, xrefs: 000000013FF80CA5
winrarsfxmappingfile.tmp, xrefs: 000000013FF809F9
sfxstime, xrefs: 000000013FF80C1F
%4d-%02d-%02d-%02d-%02d-%02d-%03d, xrefs: 000000013FF80C02
sfxname, xrefs: 000000013FF80B9B

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: File$EnvironmentHandleVariableView$_invalid_parameter_noinfo_noreturn$AddressCloseCurrentDeleteDirectoryModuleObjectProcUnmap$CommandDialogIconInitializeLineLoadLocalMallocMappingOpenParamSleepTimeswprintf
String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp
API String ID: 1048086575-3710569615
Opcode ID: a8dee53382f89b6e08e422cbf5d41e0c5acc1e70b6aec1bd7dd538d57bc5f32c
Instruction ID: a3922a514e940d71d9767af06005d2f1b2a53583f79057f4a2ecc49c07f1debd
Opcode Fuzzy Hash: a8dee53382f89b6e08e422cbf5d41e0c5acc1e70b6aec1bd7dd538d57bc5f32c
Instruction Fuzzy Hash: 5A12AD73A10B8582FB10DF24E8453E967A9FB84794F804239DE9D56BA6EF78C746C700

Function 000000013FF6A4AC Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 250
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

swprintf.LEGACY_STDIO_DEFINITIONS ref: 000000013FF6A504

Part of subcall function 000000013FF70F68: WideCharToMultiByte.KERNEL32 ref: 000000013FF70F99

SetDlgItemTextW.USER32 ref: 000000013FF6A573
GetWindowRect.USER32 ref: 000000013FF6A5AD
GetClientRect.USER32 ref: 000000013FF6A5BB
GetWindowLongPtrW.USER32 ref: 000000013FF6A66C
GetWindowRect.USER32 ref: 000000013FF6A6B2
SetWindowTextW.USER32 ref: 000000013FF6A6EC
GetSystemMetrics.USER32 ref: 000000013FF6A6F7
GetWindow.USER32 ref: 000000013FF6A708
GetWindowRect.USER32 ref: 000000013FF6A746
GetWindow.USER32 ref: 000000013FF6A808

Strings

CAPTION, xrefs: 000000013FF6A6CF
$%s:, xrefs: 000000013FF6A4EF

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWideswprintf
String ID: $%s:$CAPTION
API String ID: 2100155373-404845831
Opcode ID: 1224945cd41bf140f0dcf37f1b002595631e4f701a4b658f84a72e9da714e3d9
Instruction ID: e7168309f5315eb53625c5c1a421cb0b69e5d274aefa6e2c208e14e00312e26e
Opcode Fuzzy Hash: 1224945cd41bf140f0dcf37f1b002595631e4f701a4b658f84a72e9da714e3d9
Instruction Fuzzy Hash: 9F91F533B2465486E718CF39E80079AB7A5F785B84F445529EE4A57B98CF3CDE06CB00

Function 000000013FF78624 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 101
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindResourceW.KERNEL32 ref: 000000013FF7863D
SizeofResource.KERNEL32 ref: 000000013FF78659
LoadResource.KERNEL32 ref: 000000013FF78673
LockResource.KERNEL32 ref: 000000013FF78685
GlobalAlloc.KERNELBASE ref: 000000013FF786A6
GlobalLock.KERNEL32 ref: 000000013FF786BB
CreateStreamOnHGlobal.OLE32 ref: 000000013FF786E8
GdipAlloc.GDIPLUS ref: 000000013FF786FE
GdipCreateHBITMAPFromBitmap.GDIPLUS ref: 000000013FF78769
GlobalUnlock.KERNEL32 ref: 000000013FF7878C
GlobalFree.KERNEL32 ref: 000000013FF78795

Strings

PNG, xrefs: 000000013FF7862F

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: Global$Resource$AllocCreateGdipLock$BitmapFindFreeFromLoadSizeofStreamUnlock
String ID: PNG
API String ID: 211097158-364855578
Opcode ID: c8606208415c3a11eb94d5df8c8f8595ea54109f2541637b646828bce78d4013
Instruction ID: 7796401dbb0ed43758eadfa451cec2f048364635eaaf3a2437499e19f0a44f57
Opcode Fuzzy Hash: c8606208415c3a11eb94d5df8c8f8595ea54109f2541637b646828bce78d4013
Instruction Fuzzy Hash: 4F411037A11B4582FF149F16D9543A9A7A8AB88BD4F544439CE0A87764EF78C64BC700

Function 000000013FF5F930 Relevance: 17.2, APIs: 8, Strings: 1, Instructions: 1417COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF61239
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF6123F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF61245
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF6124B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF61251
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF61257
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF6125D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF61263

Strings

__tmp_reference_source_, xrefs: 000000013FF5FCCF, 000000013FF5FCDE

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: __tmp_reference_source_
API String ID: 3668304517-685763994
Opcode ID: b28ddd4369ee9d2fb9f54b960e8e8661f54215d7ba7c365575bd3731626fabcc
Instruction ID: 63b5ba0cfae9e0acdec579c33fec11094c6b2e34b8abc651685b4cd32d699868
Opcode Fuzzy Hash: b28ddd4369ee9d2fb9f54b960e8e8661f54215d7ba7c365575bd3731626fabcc
Instruction Fuzzy Hash: 7DE2CF73A046C092EE64DB35E1843DEA7A9F781BA4F50412ADF9D03AE6CF78D656C700

Function 000000013FF54840 Relevance: 12.1, APIs: 5, Strings: 1, Instructions: 1624COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF5511E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF55124
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF5512A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF55E16
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF55E1C

Strings

CMT, xrefs: 000000013FF559B2

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: CMT
API String ID: 3668304517-2756464174
Opcode ID: 4e0d3519dbc53a17a318317a6bcad5245a825900c95476f602d2745d5873cb12
Instruction ID: c80235e82157f7c96e878909b241bc44f6ad9feaec25930ab30c7778effa0331
Opcode Fuzzy Hash: 4e0d3519dbc53a17a318317a6bcad5245a825900c95476f602d2745d5873cb12
Instruction Fuzzy Hash: 6EE20C33B00A8086EB28DB75D5683EE67A9F745798F48003ADE5E47B96DF38D656C300

Function 000000013FF640BC Relevance: 10.7, APIs: 7, Instructions: 153
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE ref: 000000013FF6410B
FindFirstFileW.KERNEL32 ref: 000000013FF6415E
GetLastError.KERNEL32 ref: 000000013FF641AF
FindNextFileW.KERNEL32 ref: 000000013FF641D7
GetLastError.KERNEL32 ref: 000000013FF641E5
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF6430F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF64315

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: FileFind$ErrorFirstLast_invalid_parameter_noinfo_noreturn$Next
String ID:
API String ID: 474548282-0
Opcode ID: 3558f315e1be10042476175db8ede7ee76fa75e1d5bd3181acd8c5a3a8ae59ff
Instruction ID: 0da8c72e8fba7f6f4094cb8d0c44c4d2f825cd0c8c3d7267ef2e6745e3c75b18
Opcode Fuzzy Hash: 3558f315e1be10042476175db8ede7ee76fa75e1d5bd3181acd8c5a3a8ae59ff
Instruction Fuzzy Hash: EF61A273A04A8481EA10DF28E8453DE6369F795BB4F505329EEAD03BD9DF78C686C700

Function 000000013FF55E24 Relevance: 7.6, APIs: 3, Strings: 1, Instructions: 586
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

CMT, xrefs: 000000013FF559B2, 000000013FF5675B

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID:
String ID: CMT
API String ID: 0-2756464174
Opcode ID: 47cd3b120c54ed8ca83a83c160b6bdeeb0161c1da1c2dba66732434d3e775dd7
Instruction ID: d7ec0ce94c64852a11dfa8621b1e425c66420ab3204ba5dc5397eff8ce19ad1d
Opcode Fuzzy Hash: 47cd3b120c54ed8ca83a83c160b6bdeeb0161c1da1c2dba66732434d3e775dd7
Instruction Fuzzy Hash: C142D933B00A809AEB18DB74C2583ED77A9E751798F40013ADF6E57696DF34EA5AC300

Function 000000013FF82D50 Relevance: 3.0, APIs: 2, Instructions: 18COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 000000013FF82D59
_invalid_parameter_noinfo.LIBCMT ref: 000000013FF8CF70

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: ExceptionFilterUnhandled_invalid_parameter_noinfo
String ID:
API String ID: 59578552-0
Opcode ID: 5e8e7c2eab798a38dfb3fde06ce0d0a0e1510679a82775c568ee565f78a798df
Instruction ID: e3768da98b353e7c1626f9dbd642a59ded28267fafb117eb9fa218d452db79b3
Opcode Fuzzy Hash: 5e8e7c2eab798a38dfb3fde06ce0d0a0e1510679a82775c568ee565f78a798df
Instruction Fuzzy Hash: 7DE01237E15175C6F61C37765C823DC1CD96B85320F60023DEA1D453C2CA690793AA62

Function 000000013FF71F20 Relevance: .3, Instructions: 337COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f290487e5a667d54cc41a5d187d2fad0533435d196c5144e63478bd963f0733
Instruction ID: efe7cfbcf58a9fcc2210e7fe055d5492e488a73f0819f3a0581692dd179713ef
Opcode Fuzzy Hash: 4f290487e5a667d54cc41a5d187d2fad0533435d196c5144e63478bd963f0733
Instruction Fuzzy Hash: 9EE1D273A04A808AFB64CF29A044BEDBBA5F344788F15413DDF8A97785DB38D64AC704

Function 000000013FF73484 Relevance: .3, Instructions: 302COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c3f9089be966249862bf56ce032710d6eb03eb50aa34be6e58aa05575d530c2
Instruction ID: 10d92c0dd7f976ed2b31ac555d6e99644d031d3c076dcea7c68c72ffa7de8a92
Opcode Fuzzy Hash: 8c3f9089be966249862bf56ce032710d6eb03eb50aa34be6e58aa05575d530c2
Instruction Fuzzy Hash: 69B1B0B3B01BD8A2EE58DA66D608BD9A399F345FC4F48803ADE5D47745DB38D25AC300

Function 000000013FF64928 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: Create$CriticalEventInitializeSectionSemaphore
String ID:
API String ID: 3340455307-0
Opcode ID: 351ceed20d24346c920f2b33a82c7c15764e1b5f9a2ac08ee0b3c21e451927ce
Instruction ID: db50890ff30bf453ca7f57b4d861b73beaab12e46f635d0afc9cd640dc03751e
Opcode Fuzzy Hash: 351ceed20d24346c920f2b33a82c7c15764e1b5f9a2ac08ee0b3c21e451927ce
Instruction Fuzzy Hash: CF413733B11E9086FB68EF32E940B9A265AF3C4B98F1450389E4E07B95DE38D547C704

Function 000000013FF6DFD0 Relevance: 143.9, APIs: 16, Strings: 66, Instructions: 440
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(?,?,?,00000000,?), ref: 000000013FF6E018
GetProcAddress.KERNEL32(?,?,?,00000000,?), ref: 000000013FF6E030
GetProcAddress.KERNEL32(?,?,?,00000000,?), ref: 000000013FF6E05D
CreateFileW.KERNEL32 ref: 000000013FF6E3F0
SetFilePointer.KERNEL32 ref: 000000013FF6E40E
ReadFile.KERNEL32 ref: 000000013FF6E436

Part of subcall function 000000013FF6DFD0: GetSystemDirectoryW.KERNEL32 ref: 000000013FF6DDDF

CompareStringW.KERNELBASE ref: 000000013FF6E559
CloseHandle.KERNEL32 ref: 000000013FF6E4F3

Part of subcall function 000000013FF51FA0: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF51FFB

Part of subcall function 000000013FF651A4: GetVersionExW.KERNEL32 ref: 000000013FF651D5

Part of subcall function 000000013FF6DFD0: LoadLibraryW.KERNEL32 ref: 000000013FF6DEFF
Part of subcall function 000000013FF6DFD0: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF6DFB5
Part of subcall function 000000013FF6DFD0: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF6DFBB
Part of subcall function 000000013FF6DFD0: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF6DFC1
Part of subcall function 000000013FF6DFD0: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF6DFC7

AllocConsole.KERNEL32 ref: 000000013FF6E74B
GetCurrentProcessId.KERNEL32(?,?,?,00000000,?), ref: 000000013FF6E755
AttachConsole.KERNEL32 ref: 000000013FF6E75D
GetStdHandle.KERNEL32(?,?,?,00000000,?), ref: 000000013FF6E780
WriteConsoleW.KERNEL32 ref: 000000013FF6E799
Sleep.KERNEL32(?,?,?,00000000,?), ref: 000000013FF6E7A4
FreeConsole.KERNEL32 ref: 000000013FF6E7AA
ExitProcess.KERNEL32 ref: 000000013FF6E7BB

Strings

propsys.dll, xrefs: 000000013FF6E2AD
RpcRtRemote.dll, xrefs: 000000013FF6E363
rsaenh.dll, xrefs: 000000013FF6E0A7
ntmarta.dll, xrefs: 000000013FF6E1F7
slc.dll, xrefs: 000000013FF6E23D
dfscli.dll, xrefs: 000000013FF6E2F3
clbcatq.dll, xrefs: 000000013FF6E0E9
dsrole.dll, xrefs: 000000013FF6E37F
samlib.dll, xrefs: 000000013FF6E2D7
cabinet.dll, xrefs: 000000013FF6E1DB
mpr.dll, xrefs: 000000013FF6E291
iphlpapi.DLL, xrefs: 000000013FF6E267
rasadhlp.dll, xrefs: 000000013FF6E30F
oleaccrc.dll, xrefs: 000000013FF6E1E9
netapi32.dll, xrefs: 000000013FF6E16B
dhcpcsvc6.dll, xrefs: 000000013FF6E31D
ws2help.dll, xrefs: 000000013FF6E10A
XmlLite.dll, xrefs: 000000013FF6E339
version.dll, xrefs: 000000013FF6E07B
shell32.dll, xrefs: 000000013FF6E1BF
secur32.dll, xrefs: 000000013FF6E1CD
cryptsp.dll, xrefs: 000000013FF6E355
imageres.dll, xrefs: 000000013FF6E24B
devrtl.dll, xrefs: 000000013FF6E29F
cryptui.dll, xrefs: 000000013FF6E1A3
apphelp.dll, xrefs: 000000013FF6E14F
dnsapi.DLL, xrefs: 000000013FF6E259
dhcpcsvc.dll, xrefs: 000000013FF6E32B
SetDllDirectoryW, xrefs: 000000013FF6E026
peerdist.dll, xrefs: 000000013FF6E38D
mlang.dll, xrefs: 000000013FF6E2BB
cscapi.dll, xrefs: 000000013FF6E22F
sfc_os.dll, xrefs: 000000013FF6E091
DXGIDebug.dll, xrefs: 000000013FF6E086, 000000013FF6E5B6
wintrust.dll, xrefs: 000000013FF6E1B1
lpk.dll, xrefs: 000000013FF6E0D3
linkinfo.dll, xrefs: 000000013FF6E347
samcli.dll, xrefs: 000000013FF6E2C9
srvcli.dll, xrefs: 000000013FF6E221
kernel32, xrefs: 000000013FF6E011
ntshrui.dll, xrefs: 000000013FF6E12B
aclui.dll, xrefs: 000000013FF6E371
SSPICLI.DLL, xrefs: 000000013FF6E09C
uxtheme.dll, xrefs: 000000013FF6E66D
crypt32.dll, xrefs: 000000013FF6E187
browcli.dll, xrefs: 000000013FF6E301
cryptbase.dll, xrefs: 000000013FF6E0C8
psapi.dll, xrefs: 000000013FF6E115
WindowsCodecs.dll, xrefs: 000000013FF6E213
SetDefaultDllDirectories, xrefs: 000000013FF6E053
WINNSI.DLL, xrefs: 000000013FF6E275
usp10.dll, xrefs: 000000013FF6E0DE
netutils.dll, xrefs: 000000013FF6E283
msasn1.dll, xrefs: 000000013FF6E195
ieframe.dll, xrefs: 000000013FF6E120
atl.dll, xrefs: 000000013FF6E136
UXTheme.dll, xrefs: 000000013FF6E0B2
userenv.dll, xrefs: 000000013FF6E15D
dwmapi.dll, xrefs: 000000013FF6E0BD, 000000013FF6E661
Please remove %s from %s folder. It is unsecure to run %s until it is done., xrefs: 000000013FF6E73B
comres.dll, xrefs: 000000013FF6E0F4
setupapi.dll, xrefs: 000000013FF6E141
profapi.dll, xrefs: 000000013FF6E205
wkscli.dll, xrefs: 000000013FF6E2E5
shdocvw.dll, xrefs: 000000013FF6E179
ws2_32.dll, xrefs: 000000013FF6E0FF

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Console$FileHandle$AddressProcProcess$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadModulePointerReadSleepStringSystemVersionWrite
String ID: DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$RpcRtRemote.dll$SSPICLI.DLL$SetDefaultDllDirectories$SetDllDirectoryW$UXTheme.dll$WINNSI.DLL$WindowsCodecs.dll$XmlLite.dll$aclui.dll$apphelp.dll$atl.dll$browcli.dll$cabinet.dll$clbcatq.dll$comres.dll$crypt32.dll$cryptbase.dll$cryptsp.dll$cryptui.dll$cscapi.dll$devrtl.dll$dfscli.dll$dhcpcsvc.dll$dhcpcsvc6.dll$dnsapi.DLL$dsrole.dll$dwmapi.dll$ieframe.dll$imageres.dll$iphlpapi.DLL$kernel32$linkinfo.dll$lpk.dll$mlang.dll$mpr.dll$msasn1.dll$netapi32.dll$netutils.dll$ntmarta.dll$ntshrui.dll$oleaccrc.dll$peerdist.dll$profapi.dll$propsys.dll$psapi.dll$rasadhlp.dll$rsaenh.dll$samcli.dll$samlib.dll$secur32.dll$setupapi.dll$sfc_os.dll$shdocvw.dll$shell32.dll$slc.dll$srvcli.dll$userenv.dll$usp10.dll$uxtheme.dll$version.dll$wintrust.dll$wkscli.dll$ws2_32.dll$ws2help.dll
API String ID: 1496594111-2013832382
Opcode ID: 468c4a7f069b7598ff125167d5f4f846522f64d48354b40e84144950afa66450
Instruction ID: ecc4010a722c130b46c1003ef525dd6ef1d8273d34ff2755bbab5ffbc8bde686
Opcode Fuzzy Hash: 468c4a7f069b7598ff125167d5f4f846522f64d48354b40e84144950afa66450
Instruction Fuzzy Hash: F832FA37A01B8099EB219F64E8813DA33A8FB44758F91123ADE4D577A5EF38C756C740

Function 000000013FF698DC Relevance: 25.2, APIs: 3, Strings: 11, Instructions: 702COMMON

Download Yara Rule

APIs

Part of subcall function 000000013FF68E58: Concurrency::cancel_current_task.LIBCPMT ref: 000000013FF68F8D

_snwprintf.LEGACY_STDIO_DEFINITIONS ref: 000000013FF69F75
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF6A42F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF6A435

Part of subcall function 000000013FF70BBC: MultiByteToWideChar.KERNEL32 ref: 000000013FF70BE9

Strings

RTL, xrefs: 000000013FF69F2E
DIALOG, xrefs: 000000013FF69DCD
, xrefs: 000000013FF69DF9
$%s:, xrefs: 000000013FF69F50
DIRECTION, xrefs: 000000013FF69DE5
,, xrefs: 000000013FF69FAA
STRINGS, xrefs: 000000013FF69DC1
*messages***, xrefs: 000000013FF69C04
MENU, xrefs: 000000013FF69DD9
*messages***, xrefs: 000000013FF69BC6
@%s:, xrefs: 000000013FF69F57

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$ByteCharConcurrency::cancel_current_taskMultiWide_snwprintf
String ID: $ ,$$%s:$*messages***$*messages***$@%s:$DIALOG$DIRECTION$MENU$RTL$STRINGS
API String ID: 3629253777-3268106645
Opcode ID: 15c8a0442dfdb0da6b8bb8c321e22356c09d03479809fd76414af841d758a6b1
Instruction ID: fbaee4b29ac38c23ac32f870a95ba0d28c9ef9143845198874a7ad69987c4434
Opcode Fuzzy Hash: 15c8a0442dfdb0da6b8bb8c321e22356c09d03479809fd76414af841d758a6b1
Instruction Fuzzy Hash: 9462BD33B11A8095EB20DF35D4883EE67A9F7507A8F80522ADE5A476D9EF39C746C340

Function 000000013FF81900 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 195
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000000013FF81558: DloadProtectSection.DELAYIMP ref: 000000013FF815C9

RaiseException.KERNEL32 ref: 000000013FF819A7
DloadReleaseSectionWriteAccess.DELAYIMP ref: 000000013FF81993

Part of subcall function 000000013FF81868: DloadProtectSection.DELAYIMP ref: 000000013FF818C7

LoadLibraryExA.KERNELBASE ref: 000000013FF81A46
GetLastError.KERNEL32 ref: 000000013FF81A54
DloadReleaseSectionWriteAccess.DELAYIMP ref: 000000013FF81A86
RaiseException.KERNEL32 ref: 000000013FF81A9A

Strings

H, xrefs: 000000013FF81974

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: DloadSection$AccessExceptionProtectRaiseReleaseWrite$ErrorLastLibraryLoad
String ID: H
API String ID: 3432403771-2852464175
Opcode ID: cf3fc932a6b7fb7fc9ef8320b4dd67bfc8d7ec91281715f792326570f1d4a57f
Instruction ID: 0e0e9927a72fbc47ccf18a58c2b210060b6c5e299e54f5edf2530daae9eb9b20
Opcode Fuzzy Hash: cf3fc932a6b7fb7fc9ef8320b4dd67bfc8d7ec91281715f792326570f1d4a57f
Instruction Fuzzy Hash: 5B911533B01B608AEB50DFA5D9847D937A9FB08B98F494639DE0917B68EB34D646C340

Function 000000013FF7F4E0 Relevance: 17.8, APIs: 6, Strings: 4, Instructions: 285
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ShellExecuteExW.SHELL32 ref: 000000013FF7F747
ShowWindow.USER32 ref: 000000013FF7F786
GetExitCodeProcess.KERNEL32 ref: 000000013FF7F7BD
CloseHandle.KERNEL32 ref: 000000013FF7F7E7
ShowWindow.USER32 ref: 000000013FF7F83F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF7F8FB

Strings

.exe, xrefs: 000000013FF7F7F2
Install, xrefs: 000000013FF7F684
p, xrefs: 000000013FF7F529
.inf, xrefs: 000000013FF7F675

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: ShowWindow$CloseCodeExecuteExitHandleProcessShell_invalid_parameter_noinfo_noreturn
String ID: .exe$.inf$Install$p
API String ID: 1054546013-3607691742
Opcode ID: e6df9d24348bb93514fb480ea1be33c8dcd4460610e8708733d7670b1b277d8e
Instruction ID: 9784dd94c9bab6573bd6ba762e09e2399b6028871234c1a2bf5916d0feacd12d
Opcode Fuzzy Hash: e6df9d24348bb93514fb480ea1be33c8dcd4460610e8708733d7670b1b277d8e
Instruction Fuzzy Hash: B5C19F73F1460095FB00DB25D9443E9A7B9A789BC4F044139DE5A87BE5EB38CA5BC344

Function 000000013FF7F0A4 Relevance: 16.6, APIs: 11, Instructions: 102
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000000013FF7AE1C: PeekMessageW.USER32 ref: 000000013FF7AE32
Part of subcall function 000000013FF7AE1C: GetMessageW.USER32 ref: 000000013FF7AE49
Part of subcall function 000000013FF7AE1C: IsDialogMessageW.USER32 ref: 000000013FF7AE60
Part of subcall function 000000013FF7AE1C: TranslateMessage.USER32 ref: 000000013FF7AE6F
Part of subcall function 000000013FF7AE1C: DispatchMessageW.USER32 ref: 000000013FF7AE7A

GetDlgItem.USER32 ref: 000000013FF7F0E3
ShowWindow.USER32 ref: 000000013FF7F109
SendMessageW.USER32 ref: 000000013FF7F11E
SendMessageW.USER32 ref: 000000013FF7F136
SendMessageW.USER32 ref: 000000013FF7F157
SendMessageW.USER32 ref: 000000013FF7F173
SendMessageW.USER32 ref: 000000013FF7F1B6
SendMessageW.USER32 ref: 000000013FF7F1D4
SendMessageW.USER32 ref: 000000013FF7F1E8
SendMessageW.USER32 ref: 000000013FF7F212
SendMessageW.USER32 ref: 000000013FF7F22A

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
String ID:
API String ID: 3569833718-0
Opcode ID: c58ef51af4c11ae469b78d40ba7290d4e9656f32b0895ce54e4debee0d1a06d9
Instruction ID: 67c218186dfcd82f827fc9483bfeff791cf932601903732cc2123b6c926e302c
Opcode Fuzzy Hash: c58ef51af4c11ae469b78d40ba7290d4e9656f32b0895ce54e4debee0d1a06d9
Instruction Fuzzy Hash: 9341AD33B10A4486F714CF61E814BDA2764E389BDCF481139DE1617B95CF7DCA4A8744

Function 000000013FF5EF10 Relevance: 11.0, APIs: 7, Instructions: 453COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF5F542
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF5F548
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF5F554
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF5F55A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF5F560
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF5F56C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF5F572

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: 0144bcc994d84486ee27bbb6ec5de5de067ba5895e62caa73601afb15b6542e9
Instruction ID: eeeba3dfb729e99330ba74db510307c74849fc076b687f04c29ca54b3cbb4ed9
Opcode Fuzzy Hash: 0144bcc994d84486ee27bbb6ec5de5de067ba5895e62caa73601afb15b6542e9
Instruction Fuzzy Hash: 1C128B73F10B40C5FB10DB65D4483ED27AAA7857A8F50426ADE5D17AEADF38C68AC340

Function 000000013FF872EC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(?,?,00000000,000000013FF874F3,?,?,?,000000013FF8525E,?,?,?,000000013FF85219), ref: 000000013FF87371
GetLastError.KERNEL32(?,?,00000000,000000013FF874F3,?,?,?,000000013FF8525E,?,?,?,000000013FF85219), ref: 000000013FF8737F
LoadLibraryExW.KERNEL32(?,?,00000000,000000013FF874F3,?,?,?,000000013FF8525E,?,?,?,000000013FF85219), ref: 000000013FF873A9
FreeLibrary.KERNEL32(?,?,00000000,000000013FF874F3,?,?,?,000000013FF8525E,?,?,?,000000013FF85219), ref: 000000013FF873EF
GetProcAddress.KERNEL32(?,?,00000000,000000013FF874F3,?,?,?,000000013FF8525E,?,?,?,000000013FF85219), ref: 000000013FF873FB

Strings

api-ms-, xrefs: 000000013FF87391

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: eedfc97f7024c66fbeb39a7219499b253e22696fd1fdab2c5f769bf1fd383016
Instruction ID: aef943ec18d7a022ab685c82bfe9b44b46f62331a9ecc246e5a28f75c0a9682e
Opcode Fuzzy Hash: eedfc97f7024c66fbeb39a7219499b253e22696fd1fdab2c5f769bf1fd383016
Instruction Fuzzy Hash: 2231E633B16660D1EE11DB16A8407DA2B9CFB48BA0F59453DDD1D5B394DF38C246C710

Function 000000013FF624C0 Relevance: 9.2, APIs: 6, Instructions: 164
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE ref: 000000013FF6259B
GetLastError.KERNEL32 ref: 000000013FF625AE
CreateFileW.KERNEL32 ref: 000000013FF6260E
GetLastError.KERNEL32 ref: 000000013FF62617
SetFileTime.KERNEL32 ref: 000000013FF626C9
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF62736

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: File$CreateErrorLast$Time_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3536497005-0
Opcode ID: c90d99a879dbc59780aaf31344be960bf5048a79d4b9b92666a592f6816938e3
Instruction ID: e5ba817cf6ee884bce7ad8d27c6961b04448c14dd904812ac0820e9e622f502c
Opcode Fuzzy Hash: c90d99a879dbc59780aaf31344be960bf5048a79d4b9b92666a592f6816938e3
Instruction Fuzzy Hash: 9F619377A1068085EB208F39E54439E67B5F3857B8F101328DFA907AE9DF39C69AC744

Function 000000013FF7B014 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 54
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadBitmapW.USER32 ref: 000000013FF7B02A
GetObjectW.GDI32 ref: 000000013FF7B05B
DeleteObject.GDI32 ref: 000000013FF7B095
DeleteObject.GDI32 ref: 000000013FF7B0C5

Part of subcall function 000000013FF78624: FindResourceW.KERNEL32 ref: 000000013FF7863D
Part of subcall function 000000013FF78624: SizeofResource.KERNEL32 ref: 000000013FF78659
Part of subcall function 000000013FF78624: LoadResource.KERNEL32 ref: 000000013FF78673
Part of subcall function 000000013FF78624: LockResource.KERNEL32 ref: 000000013FF78685
Part of subcall function 000000013FF78624: GlobalAlloc.KERNELBASE ref: 000000013FF786A6
Part of subcall function 000000013FF78624: GlobalLock.KERNEL32 ref: 000000013FF786BB
Part of subcall function 000000013FF78624: CreateStreamOnHGlobal.OLE32 ref: 000000013FF786E8
Part of subcall function 000000013FF78624: GdipAlloc.GDIPLUS ref: 000000013FF786FE
Part of subcall function 000000013FF78624: GdipCreateHBITMAPFromBitmap.GDIPLUS ref: 000000013FF78769
Part of subcall function 000000013FF78624: GlobalUnlock.KERNEL32 ref: 000000013FF7878C
Part of subcall function 000000013FF78624: GlobalFree.KERNEL32 ref: 000000013FF78795

Strings

], xrefs: 000000013FF7B063

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: Global$Resource$Object$AllocBitmapCreateDeleteGdipLoadLock$FindFreeFromSizeofStreamUnlock
String ID: ]
API String ID: 3561356813-3352871620
Opcode ID: 2f79d63664e457f963bfbd157e1c525b341384e02eb8e860e1f42d2dee528bbf
Instruction ID: 2c29e9f91ef7409f66a9199dc0c0c9a16bf7593e9d5d0cee09f0e5430d76cb5f
Opcode Fuzzy Hash: 2f79d63664e457f963bfbd157e1c525b341384e02eb8e860e1f42d2dee528bbf
Instruction Fuzzy Hash: 9C118232B0564542FA649B22A6543E9D39AAB89BD4F18003C9E5D47B99DE2CDE0EC700

Function 000000013FF8F414 Relevance: 7.6, APIs: 5, Instructions: 114
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32 ref: 000000013FF8F536

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: d8da239e760e4119be076ce5ae60c5d71a4e7276355522d8061e2664917ecd9d
Instruction ID: 614ce774dda921a1c2b430e7cb11cda12f46578b0e2e6dda20e61bee697399a0
Opcode Fuzzy Hash: d8da239e760e4119be076ce5ae60c5d71a4e7276355522d8061e2664917ecd9d
Instruction Fuzzy Hash: 8C410433B11A5089FE159F22A9447D66B9DB744FE0F09453EDE198F7D8EB38C6468300

Function 000000013FF7AE1C Relevance: 7.5, APIs: 5, Instructions: 27
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PeekMessageW.USER32 ref: 000000013FF7AE32
GetMessageW.USER32 ref: 000000013FF7AE49
IsDialogMessageW.USER32 ref: 000000013FF7AE60
TranslateMessage.USER32 ref: 000000013FF7AE6F
DispatchMessageW.USER32 ref: 000000013FF7AE7A

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: Message$DialogDispatchPeekTranslate
String ID:
API String ID: 1266772231-0
Opcode ID: 8f901ab8bb575df3ccfb48a5cb3294f091b017f84468599a2020223c8e70b7dc
Instruction ID: fa337473240bafa04711ee223e626318911efa9e421d0012b86ce6509aaf7eba
Opcode Fuzzy Hash: 8f901ab8bb575df3ccfb48a5cb3294f091b017f84468599a2020223c8e70b7dc
Instruction Fuzzy Hash: 2CF06237B3054482FB549B21E895BA66369FBD0748F906439ED4B81864DF3CCE0ACB00

Function 000000013FF791E8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetClassNameW.USER32 ref: 000000013FF79211
SHAutoComplete.SHLWAPI ref: 000000013FF79255

Part of subcall function 000000013FF713C4: CompareStringW.KERNEL32 ref: 000000013FF713E3

FindWindowExW.USER32 ref: 000000013FF7923F

Strings

EDIT, xrefs: 000000013FF7921B, 000000013FF79233

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: AutoClassCompareCompleteFindNameStringWindow
String ID: EDIT
API String ID: 4243998846-3080729518
Opcode ID: 5198dd27efd6ef2cfe81d4e1a42d30dc263c523227a297f5f4c02164b2b5e029
Instruction ID: 3fe58c69dc36606d2d4044fe9554d78de7286a7d973d8b90997964ddc7bb9a4f
Opcode Fuzzy Hash: 5198dd27efd6ef2cfe81d4e1a42d30dc263c523227a297f5f4c02164b2b5e029
Instruction Fuzzy Hash: 7B013173B10A8581FB349B21E8117D66398AB98784F4411398D4D467A5DE6CC74EC640

Function 000000013FF62CE0 Relevance: 6.1, APIs: 4, Instructions: 136fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000013FF68C9A), ref: 000000013FF62D22
WriteFile.KERNEL32 ref: 000000013FF62D6C
WriteFile.KERNELBASE ref: 000000013FF62D9A

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: FileWrite$Handle
String ID:
API String ID: 4209713984-0
Opcode ID: 6cd78db48ad0d9b226c97101cb61b208fe2fcd81b3a9cbf8e3f9182465f50604
Instruction ID: 8c8278b3f3408f87cc4e4c064866970414f07e4499ff7b68d038cceab4cf5fe6
Opcode Fuzzy Hash: 6cd78db48ad0d9b226c97101cb61b208fe2fcd81b3a9cbf8e3f9182465f50604
Instruction Fuzzy Hash: 6051E233B11A4192FF50CB25D9447EA6368F795BA4F440139EE0A07AE4EF7CC68AC300

Function 000000013FF803E0 Relevance: 6.1, APIs: 4, Instructions: 123COMMON

Download Yara Rule

APIs

SetDlgItemTextW.USER32 ref: 000000013FF80556
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF805C1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF805C7
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF805CD

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$ItemText
String ID:
API String ID: 3750147219-0
Opcode ID: 37944a8cf501712dba7b7552f49b5fdb5cf8609680ceced34cad6b817c0b05d3
Instruction ID: 512ea58a5e5c08748cd5ba35b1130083ce5dbcffdf828d7bd2f42351dce3d2e3
Opcode Fuzzy Hash: 37944a8cf501712dba7b7552f49b5fdb5cf8609680ceced34cad6b817c0b05d3
Instruction Fuzzy Hash: C7517E73F20B6085FF009BA5D8453DD276ABB45BA4F90062ADE1C1BBEADF64C642C314

Function 000000013FF63684 Relevance: 6.1, APIs: 4, Instructions: 94COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,?,?,?,?,?,?,00000000,?,000000013FF6309D), ref: 000000013FF636CE
CreateDirectoryW.KERNEL32 ref: 000000013FF63733
GetLastError.KERNEL32(?,?,?,?,?,?,?,00000000,?,000000013FF6309D), ref: 000000013FF63791
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF637CE

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: CreateDirectory$ErrorLast_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2359106489-0
Opcode ID: ac7929ab680600a75a05425a8dcfbf923b8573e4052e4e1cf8798639435a1a0e
Instruction ID: bd523d018f19feee12e41608a5206b3e18ec0c06c6b85a3d2ae3456a7cfb135b
Opcode Fuzzy Hash: ac7929ab680600a75a05425a8dcfbf923b8573e4052e4e1cf8798639435a1a0e
Instruction Fuzzy Hash: A331D273A08A8181FB209B35A5853EE6369F7897B0F500239EE99437D5DF38C6478600

Function 000000013FF82D6C Relevance: 6.1, APIs: 4, Instructions: 94COMMON

Download Yara Rule

APIs

__scrt_initialize_crt.LIBCMT ref: 000000013FF82D7B

Part of subcall function 000000013FF827FC: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 000000013FF8281E

__scrt_acquire_startup_lock.LIBCMT ref: 000000013FF82D90
__scrt_release_startup_lock.LIBCMT ref: 000000013FF82DFE
__scrt_get_show_window_mode.LIBCMT ref: 000000013FF82E51

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_initialize_crt__scrt_release_startup_lock
String ID:
API String ID: 1452418845-0
Opcode ID: f380b52e8f95e6a0f24ce785192d8cb773bc143ddf3d62aee805abe4fb8ed354
Instruction ID: 38a66132f8a18a21de88722b591adbd19318f47f3bfe959ca655296bd52075e0
Opcode Fuzzy Hash: f380b52e8f95e6a0f24ce785192d8cb773bc143ddf3d62aee805abe4fb8ed354
Instruction Fuzzy Hash: D2316E33E0126042FB64BB64D9553EA2F99AB41784F44043CEE4A4B3E7DE28EB0BC355

Function 000000013FF62320 Relevance: 6.1, APIs: 4, Instructions: 58fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(?,?,?,?,00000000,000000013FF62927,?,00100000,?,00000001,00000000,00000000,?,000000013FF614C1), ref: 000000013FF62348
ReadFile.KERNELBASE ref: 000000013FF62367
GetLastError.KERNEL32 ref: 000000013FF6239B
GetLastError.KERNEL32 ref: 000000013FF623BA

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: ErrorLast$FileHandleRead
String ID:
API String ID: 2244327787-0
Opcode ID: 5dece825d5be91adec6864fa12bb564f4e3b5809c08bfde6ef0babe01e3581d0
Instruction ID: e886909bc6bcf5adffdd55d9ae8a09cf290f7fea08ed8fbcdbbff82bc0a072e0
Opcode Fuzzy Hash: 5dece825d5be91adec6864fa12bb564f4e3b5809c08bfde6ef0babe01e3581d0
Instruction Fuzzy Hash: 0321CD33E04A4081EE609F31E4013AE63A8F345BA8F144578DE995B7D8DF7DCA878B11

Function 000000013FF6E948 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 000000013FF6ECD8: ResetEvent.KERNEL32 ref: 000000013FF6ECF1
Part of subcall function 000000013FF6ECD8: ReleaseSemaphore.KERNEL32 ref: 000000013FF6ED07

ReleaseSemaphore.KERNEL32 ref: 000000013FF6E974
CloseHandle.KERNELBASE ref: 000000013FF6E993
DeleteCriticalSection.KERNEL32 ref: 000000013FF6E9AA
CloseHandle.KERNEL32 ref: 000000013FF6E9B7

Part of subcall function 000000013FF6EA5C: WaitForSingleObject.KERNEL32(?,?,?,?,?,?,?,?,000000013FF6E95F,?,?,?,000000013FF6463A,?,?,?), ref: 000000013FF6EA63
Part of subcall function 000000013FF6EA5C: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,000000013FF6E95F,?,?,?,000000013FF6463A,?,?,?), ref: 000000013FF6EA6E

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: CloseHandleReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
String ID:
API String ID: 502429940-0
Opcode ID: 7c4c69b688bb09167c3d8ec6f4195a818a409db0987586a56ae23aa503e7e0cd
Instruction ID: 0a48bb0d91462b78da85bf2cc6407aaff27f885b4ba4cca0939e921f7c1811be
Opcode Fuzzy Hash: 7c4c69b688bb09167c3d8ec6f4195a818a409db0987586a56ae23aa503e7e0cd
Instruction Fuzzy Hash: 78010C33A10A90A2E648DB21EA4479EB335F788BD0F404125DF6A03665CF35D6B6C744

Function 000000013FF6EAA4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE ref: 000000013FF6EAE0
SetThreadPriority.KERNEL32 ref: 000000013FF6EB36

Strings

CreateThread failed, xrefs: 000000013FF6EAEE

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: Thread$CreatePriority
String ID: CreateThread failed
API String ID: 2610526550-3849766595
Opcode ID: cf4f3858e1c5421656891f758a667cd72a6f2059ba57d4f8d940dbc9b5e0f540
Instruction ID: 1e74c08b129393a4e088963cc4eff2c6a22dc8c623d7ea611f53ff371c5e0c83
Opcode Fuzzy Hash: cf4f3858e1c5421656891f758a667cd72a6f2059ba57d4f8d940dbc9b5e0f540
Instruction Fuzzy Hash: 22110D33A14A4092FB15DF21E8813DA7368F784B98F5445399E4906769EF38CA97CB44

Function 000000013FF7946C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26comCOMMON

Download Yara Rule

APIs

Part of subcall function 000000013FF6DFD0: GetSystemDirectoryW.KERNEL32 ref: 000000013FF6DDDF

OleInitialize.OLE32 ref: 000000013FF79486
SHGetMalloc.SHELL32 ref: 000000013FF794D4

Strings

riched20.dll, xrefs: 000000013FF79475

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: DirectoryInitializeMallocSystem
String ID: riched20.dll
API String ID: 174490985-3360196438
Opcode ID: b1936b3f38021c99ecd6522b050f6163774a90ef7a51b133bb98bdb322c125e4
Instruction ID: 676c9cc8ef4d454d8caf9ca2f562ff0e648da6e63a3edca889df8b61ba4f5627
Opcode Fuzzy Hash: b1936b3f38021c99ecd6522b050f6163774a90ef7a51b133bb98bdb322c125e4
Instruction Fuzzy Hash: 2EF04F72614A4482EB409F20F41539EB7A4FB88754F440139ED8E42754DF7CCA4ECB00

Function 000000013FF8EF5C Relevance: 4.7, APIs: 3, Instructions: 238COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 000000013FF8EFE3
MultiByteToWideChar.KERNEL32 ref: 000000013FF8F0A8
WideCharToMultiByte.KERNEL32 ref: 000000013FF8F238

Part of subcall function 000000013FF8D94C: RtlAllocateHeap.NTDLL ref: 000000013FF8D98A

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeap
String ID:
API String ID: 2584219951-0
Opcode ID: 2257e0b6f8e0a972416a043cca1dd440209c131bba8554c2344489417849a289
Instruction ID: 05b43c78a487d4ef9eeea401a4a78953d9144bd8375cbf665adac28153c96b08
Opcode Fuzzy Hash: 2257e0b6f8e0a972416a043cca1dd440209c131bba8554c2344489417849a289
Instruction Fuzzy Hash: FEA1C573B10B558AEB648F65D4403E96BD9FB88BA8F044239EE5947BC9DB7CC6468300

Function 000000013FF7095C Relevance: 4.7, APIs: 3, Instructions: 152windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000000013FF7853C: GlobalMemoryStatusEx.KERNEL32 ref: 000000013FF7856C

Part of subcall function 000000013FF6AAE0: LoadStringW.USER32 ref: 000000013FF6AB67
Part of subcall function 000000013FF6AAE0: LoadStringW.USER32 ref: 000000013FF6AB80

Part of subcall function 000000013FF51FA0: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF51FFB

Part of subcall function 000000013FF5129C: Concurrency::cancel_current_task.LIBCPMT ref: 000000013FF51396

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF801BB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF801C1
SendDlgItemMessageW.USER32 ref: 000000013FF801F2

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$LoadString$Concurrency::cancel_current_taskGlobalItemMemoryMessageSendStatus
String ID:
API String ID: 3106221260-0
Opcode ID: b44ab40ada4fdf7cdbcaa15f8daeace4536de695359eeab31afda72367bc6ece
Instruction ID: 0b793923b58cd5e9a37c0590b2a3aecf96590713e83a098dae3d287294cabff5
Opcode Fuzzy Hash: b44ab40ada4fdf7cdbcaa15f8daeace4536de695359eeab31afda72367bc6ece
Instruction Fuzzy Hash: 7C51C273F11B5086FB10ABB5D4553ED236AA789BD8F40023ADE1D577DAEE28C642C340

Function 000000013FF62134 Relevance: 4.6, APIs: 3, Instructions: 114fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE ref: 000000013FF621CF
CreateFileW.KERNEL32 ref: 000000013FF6223C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF622D8

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: CreateFile$_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2272807158-0
Opcode ID: 4deb08ca3be5073a72b2bd7db4a08fd3c34f80865c8b8240031b88655e7f576e
Instruction ID: 249cf942424de98eb5e779117b96985839f5c0cdb6cab4c45cb53e71336278c1
Opcode Fuzzy Hash: 4deb08ca3be5073a72b2bd7db4a08fd3c34f80865c8b8240031b88655e7f576e
Instruction Fuzzy Hash: E841AD73A14B8482EF248F25E44439A67A5F385BB8F105729DFA907AD9CF7CC696C700

Function 000000013FF523F8 Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32 ref: 000000013FF5243E
GetWindowTextW.USER32 ref: 000000013FF52476
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF52505

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: TextWindow$Length_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2176759853-0
Opcode ID: edbdae515b0ac00df6a361e0ea4ef83759fb05d05b990204e34ba692badc1145
Instruction ID: 3bfd6fcffb4fc2d8d27ee92904e10f3e1452b968b7bf2c30442fb6051b6d457d
Opcode Fuzzy Hash: edbdae515b0ac00df6a361e0ea4ef83759fb05d05b990204e34ba692badc1145
Instruction Fuzzy Hash: F121B173A24B8481EA149B65E8403AAB768F789BD0F144329EFDD03B95CF3CD282C700

Function 000000013FF71F94 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

std::bad_alloc::bad_alloc.LIBCMT ref: 000000013FF7205B
std::bad_alloc::bad_alloc.LIBCMT ref: 000000013FF72077
std::bad_alloc::bad_alloc.LIBCMT ref: 000000013FF72093

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: std::bad_alloc::bad_alloc
String ID:
API String ID: 1875163511-0
Opcode ID: 65d8091f10f06cce83768fe095ce433e052fa83f4fe25a8c85fad3cbd40ccd0d
Instruction ID: 484d667416ba45d93848a30a12c2f4522452db6e5055e4d8c455df0c88563fff
Opcode Fuzzy Hash: 65d8091f10f06cce83768fe095ce433e052fa83f4fe25a8c85fad3cbd40ccd0d
Instruction Fuzzy Hash: 7031B633A05A8452FB24A714E4443D9A3A8F340BC4F54443DDA8C467A9DFB9DB5FC701

Function 000000013FF63D34 Relevance: 4.6, APIs: 3, Instructions: 62COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,?,?,?,?,?,00000000,00000001,?,000000013FF707E1), ref: 000000013FF63D5E
SetFileAttributesW.KERNEL32 ref: 000000013FF63DB0
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF63E1A

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: AttributesFile$_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1203560049-0
Opcode ID: 6ed0c8a070441816d5330cd3769e28eb6ceea82749a6528c2ac8f8b7ff7a8567
Instruction ID: d7a9c682e90cda4ab5d5438339c50fa14a5b365b37a77e701b0d3c362459cbe6
Opcode Fuzzy Hash: 6ed0c8a070441816d5330cd3769e28eb6ceea82749a6528c2ac8f8b7ff7a8567
Instruction Fuzzy Hash: 80219533A14A8481EE209F65E4553DA6365FB88BA4F505238EE9E477D5EF3CC646CA00

Function 000000013FF631BC Relevance: 4.6, APIs: 3, Instructions: 59fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?,?,?,?,?,?,?,?,00000000,000000013FF70822), ref: 000000013FF631E7
DeleteFileW.KERNEL32 ref: 000000013FF63237
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF632A1

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: DeleteFile$_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3118131910-0
Opcode ID: 1fd191feb40cc67e00974fea17ca92e04a2935e1faff0a05b7b511311eb8a7b5
Instruction ID: 7897bacba34929470b12a1d684dba3961c1ac75c39bcb53222e3eaeaf18023db
Opcode Fuzzy Hash: 1fd191feb40cc67e00974fea17ca92e04a2935e1faff0a05b7b511311eb8a7b5
Instruction Fuzzy Hash: 9B219533A1478081EE108B25F84539E6364F789BA8F501239EE9E46BE9DF3CC682C700

Function 000000013FF632BC Relevance: 4.6, APIs: 3, Instructions: 57COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,?,?,000000013FF6E5B1,?,?,?,00000000,?), ref: 000000013FF632E7
GetFileAttributesW.KERNELBASE ref: 000000013FF63334
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF63399

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: AttributesFile$_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1203560049-0
Opcode ID: 9a50065414fe101911552ba5ebcc3347b9eb07001169c906163cef81c3539e2a
Instruction ID: a430f78b60e312c2b958beee7a98d992e4dd7836cc9fc6b72477ceeaed7624bc
Opcode Fuzzy Hash: 9a50065414fe101911552ba5ebcc3347b9eb07001169c906163cef81c3539e2a
Instruction Fuzzy Hash: 20215033A14B8082EA109B29F44539A6375F7C9BA4F500229EE9D47BE9DF3CC682C704

Function 000000013FF8BF64 Relevance: 4.5, APIs: 3, Instructions: 19COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,000000013FF8BF48), ref: 000000013FF8BF8C
TerminateProcess.KERNEL32(?,?,?,000000013FF8BF48), ref: 000000013FF8BF97
ExitProcess.KERNEL32 ref: 000000013FF8BFA6

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 44b3a526fe0d15710854bc957cc7a82f9edee4cc7420f0560de4bec5ea2a17a0
Instruction ID: 9a6bc1632186e8c5ba1d6c74397b35afb8722ab2f5f1849ae1fd5b8c7a3667cc
Opcode Fuzzy Hash: 44b3a526fe0d15710854bc957cc7a82f9edee4cc7420f0560de4bec5ea2a17a0
Instruction Fuzzy Hash: 06E0463AB0031487EB646B719D993EA275AAB88B41F10543CCD16033ABCE398A4BC700

Function 000000013FF9038C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 126COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32 ref: 000000013FF903C2

Strings

, xrefs: 000000013FF90407

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-3916222277
Opcode ID: a8c800685481078d801c3a9547140eba41de8252033d851bc208b7bc76324660
Instruction ID: 1ea8a9d9586e0b555edd846d309642b4abc12730e44c414d0d4e1f77b2ceaae3
Opcode Fuzzy Hash: a8c800685481078d801c3a9547140eba41de8252033d851bc208b7bc76324660
Instruction Fuzzy Hash: 30518373A186C08BE721CF38E0843DE7BA8F348748F54412ADB8987A95CB79C257CB10

Function 000000013FF8F79C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

LCMapStringW.KERNEL32 ref: 000000013FF8F86A

Strings

LCMapStringEx, xrefs: 000000013FF8F7BD, 000000013FF8F7CE

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: String
String ID: LCMapStringEx
API String ID: 2568140703-3893581201
Opcode ID: 17426379dc5621f9e1018306a2e07a6620b14fb09a176a6cc70ab50f48641bf8
Instruction ID: c022e30be7b9fe8e75c93bb26716e6c87f22a63554dd801fde6ab9a33cb287cc
Opcode Fuzzy Hash: 17426379dc5621f9e1018306a2e07a6620b14fb09a176a6cc70ab50f48641bf8
Instruction Fuzzy Hash: 3C213036A04B8486DB64CB56F84039AB7A5F7C9B90F54412ADECD43B59DF38C546CB04

Function 000000013FF8F724 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 32COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNELBASE(?,?,00000003,000000013FF8D771), ref: 000000013FF8F781

Strings

InitializeCriticalSectionEx, xrefs: 000000013FF8F73B, 000000013FF8F74E

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID: InitializeCriticalSectionEx
API String ID: 2593887523-3084827643
Opcode ID: c2713cc8f82347ddf34c1ff1e3a46d417220554c4cdd39c6d4a1de9404e2d7ea
Instruction ID: 5def71678e8c8835e632703793175d5c63a0445a0bdd9e2b8b7e73e43f3cba4d
Opcode Fuzzy Hash: c2713cc8f82347ddf34c1ff1e3a46d417220554c4cdd39c6d4a1de9404e2d7ea
Instruction Fuzzy Hash: E3F04F3AB15B9482EB049B46F5803DE7765AB89BD0F984039EE8907B59CE78CA46C700

Function 000000013FF8F5B4 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32(?,?,?,000000013FF8D590), ref: 000000013FF8F5F8

Strings

FlsAlloc, xrefs: 000000013FF8F5C1, 000000013FF8F5D4

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: Alloc
String ID: FlsAlloc
API String ID: 2773662609-671089009
Opcode ID: 69bde66f6f93e2be0612d4f6e2d410048c1b703c33c775dbe88a9e5d38be4015
Instruction ID: bf2bc960964b7b7b50b9879a75ff4272e994b323aba33f51f51e617f2401e5df
Opcode Fuzzy Hash: 69bde66f6f93e2be0612d4f6e2d410048c1b703c33c775dbe88a9e5d38be4015
Instruction Fuzzy Hash: 40E09232E0564491EE059B55FA543ED23A8EF88BD0FA4103EDD4907391EE38C787C710

Function 000000013FF5F578 Relevance: 3.2, APIs: 2, Instructions: 193COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF5F895
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF5F89B

Part of subcall function 000000013FF63EC8: FindClose.KERNELBASE(?,?,00000000,000000013FF70811), ref: 000000013FF63EFD

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$CloseFind
String ID:
API String ID: 3587649625-0
Opcode ID: 4e6642f218c424b74ba5f7528acf490deaa38b33319aba77548da38eac26a4e9
Instruction ID: 71db8f97f5a82162dfb47373595bf51cc2399f7c289c8f83a9989b322e2573e4
Opcode Fuzzy Hash: 4e6642f218c424b74ba5f7528acf490deaa38b33319aba77548da38eac26a4e9
Instruction Fuzzy Hash: EE917E73A14B90D5EB10DF64E8883DD67A9F784798F904129EE5C07AE9DF74C686C340

Function 000000013FF90818 Relevance: 3.2, APIs: 2, Instructions: 186COMMON

Download Yara Rule

APIs

Part of subcall function 000000013FF9027C: GetOEMCP.KERNEL32(?,?,?,?,?,?,FFFFFFFD,000000013FF90599,?,?,?,?,?,?,?,000000013FF90749), ref: 000000013FF902A6

IsValidCodePage.KERNEL32(?,?,?,00000000,?,00000000,00000001,000000013FF9064C,?,?,?,?,?,?,?,000000013FF90749), ref: 000000013FF90892
GetCPInfo.KERNEL32(?,?,?,00000000,?,00000000,00000001,000000013FF9064C,?,?,?,?,?,?,?,000000013FF90749), ref: 000000013FF908A7

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: be6a5759142bd0290644e03c106ed6a52b2c001b1214ea6308d5d9eba8f96ecf
Instruction ID: b26553ff2437d0c8c86482bed3a1e9999c72855fbde49e7f0d77d0b94b0c90d2
Opcode Fuzzy Hash: be6a5759142bd0290644e03c106ed6a52b2c001b1214ea6308d5d9eba8f96ecf
Instruction Fuzzy Hash: 1781AF73E1469086F7658F35D4403EE7BA9E344B80F58413AEE89877A5DA79CB83C740

Function 000000013FF53904 Relevance: 3.1, APIs: 2, Instructions: 124COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF53AB3
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF53AB9

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: ac102126b0f220e1916f8f5b565c1fb15815e34047790f49f88a60c97a0c8aaa
Instruction ID: a001a878c6c010a125a3781b5c1b2c1e9379476ad779509d2c3ef6341b267cf9
Opcode Fuzzy Hash: ac102126b0f220e1916f8f5b565c1fb15815e34047790f49f88a60c97a0c8aaa
Instruction Fuzzy Hash: 23418C73F106A085FF00DBB9D4597DD276AAB45BD8F145239EE1D27ADADA34C6838300

Function 000000013FF62778 Relevance: 3.1, APIs: 2, Instructions: 100COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000002,?,00000F99,?,000000013FF6274D), ref: 000000013FF628A9
GetLastError.KERNEL32(?,000000013FF6274D), ref: 000000013FF628B8

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 043a82e8aff847b2e282b78885e55c7214a93c585b530bdf19c19deffc600893
Instruction ID: b0ae025b17793733d988239ffa0ff6daac6c698f6a31d026fc4bc89f60c4e8d7
Opcode Fuzzy Hash: 043a82e8aff847b2e282b78885e55c7214a93c585b530bdf19c19deffc600893
Instruction Fuzzy Hash: 1D319133B12A5082EE604B3ADD807D92398AB44BE4F54013ADE19577E4DF3CCA839744

Function 000000013FF522BC Relevance: 3.1, APIs: 2, Instructions: 83COMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 000000013FF522F1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF523F0

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: Item_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1746051919-0
Opcode ID: 50d3dabbc2cad761c4bf160d2ea854522c0340c6e18f5e49c1c90068bd6a6ba9
Instruction ID: 7137c13b380ebe6d6e877eed848ca0b7b340879a800e6da6f7b013b4c3dc148a
Opcode Fuzzy Hash: 50d3dabbc2cad761c4bf160d2ea854522c0340c6e18f5e49c1c90068bd6a6ba9
Instruction Fuzzy Hash: 0C31B033A1078482EA109F19E4493DEB368EB84B90F444229EF9D17B95DF7CE686C700

Function 000000013FF62AD0 Relevance: 3.1, APIs: 2, Instructions: 76timeCOMMON

Download Yara Rule

APIs

FlushFileBuffers.KERNEL32 ref: 000000013FF62AFE
SetFileTime.KERNELBASE ref: 000000013FF62B9B

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: File$BuffersFlushTime
String ID:
API String ID: 1392018926-0
Opcode ID: 1f7bfd0f82637a6abdcd08aef8b442a865f6f50d97ba3a1fa7ef62b0e093425a
Instruction ID: 16ea547e45fdb337dd92ed090aa166b0bcd85ecb558cb33e21e2ec595b176583
Opcode Fuzzy Hash: 1f7bfd0f82637a6abdcd08aef8b442a865f6f50d97ba3a1fa7ef62b0e093425a
Instruction Fuzzy Hash: BD21D033F06B4191EE628F31E5157EA6798E7097A8F5580399E48073B5EE3CC687C300

Function 000000013FF6AAE0 Relevance: 3.1, APIs: 2, Instructions: 52COMMON

Download Yara Rule

APIs

LoadStringW.USER32 ref: 000000013FF6AB67
LoadStringW.USER32 ref: 000000013FF6AB80

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: LoadString
String ID:
API String ID: 2948472770-0
Opcode ID: efc1550bd5bba1d5ac9face2304fa075ed5e4cb94ffc19493764f318ca00d951
Instruction ID: 2a6765068ef61ea87b99ca83ec463d883277c871bc9cabbcb5eed4b26ce53ee9
Opcode Fuzzy Hash: efc1550bd5bba1d5ac9face2304fa075ed5e4cb94ffc19493764f318ca00d951
Instruction Fuzzy Hash: 52116A72B04B4486EA048F2AA940789B7A9B789FD0F54453DCE09A3731DF78CE428744

Function 000000013FF62BB0 Relevance: 3.0, APIs: 2, Instructions: 47COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE ref: 000000013FF62C11
GetLastError.KERNEL32 ref: 000000013FF62C1E

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 5eda2cbf1ce6837a88d649c872729f31e823bc49095d59e5e9b193bf7b9166cd
Instruction ID: c1bd6e8445d59117209e9db98ced65471aaed51c5cb3ad403f4f0d190566de09
Opcode Fuzzy Hash: 5eda2cbf1ce6837a88d649c872729f31e823bc49095d59e5e9b193bf7b9166cd
Instruction Fuzzy Hash: 7F113733A1468082EB608B25E8857996368E745BB8F54432ADE6D562E9DF38CA97C700

Function 000000013FF5255C Relevance: 3.0, APIs: 2, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 000000013FF6A4AC: swprintf.LEGACY_STDIO_DEFINITIONS ref: 000000013FF6A504
Part of subcall function 000000013FF6A4AC: SetDlgItemTextW.USER32 ref: 000000013FF6A573
Part of subcall function 000000013FF6A4AC: GetWindowRect.USER32 ref: 000000013FF6A5AD
Part of subcall function 000000013FF6A4AC: GetClientRect.USER32 ref: 000000013FF6A5BB

GetDlgItem.USER32 ref: 000000013FF525AC
SetWindowTextW.USER32 ref: 000000013FF525C8

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: ItemRectTextWindow$Clientswprintf
String ID:
API String ID: 3322643685-0
Opcode ID: 64054e75db15c4c181a3b608a21e6fd390ef54e23b9c378e0d592242a50efdfc
Instruction ID: 1303b73f3f01fdf7aac96d1ffcf20e6b5ae8ea8523a696201ba6edd35a54bb0b
Opcode Fuzzy Hash: 64054e75db15c4c181a3b608a21e6fd390ef54e23b9c378e0d592242a50efdfc
Instruction Fuzzy Hash: 0301EC32E0564981FF595F52A4683E95799AB85B84F08413DED49067EAEE6CCF86C300

Function 000000013FF6EB58 Relevance: 3.0, APIs: 2, Instructions: 23COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,?,000000013FF6EBAD,?,?,?,?,000000013FF65752,?,?,?,000000013FF656DE), ref: 000000013FF6EB5C
GetProcessAffinityMask.KERNEL32 ref: 000000013FF6EB6F

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: Process$AffinityCurrentMask
String ID:
API String ID: 1231390398-0
Opcode ID: 444071b75e142e51b736d9fa504759652bc9944b894df1f8101a797a07211085
Instruction ID: 357eb970ceb00d740ecc40a82e04265c33b9cd03504022598702de2339af74b4
Opcode Fuzzy Hash: 444071b75e142e51b736d9fa504759652bc9944b894df1f8101a797a07211085
Instruction Fuzzy Hash: C0E09B73F2058546DF598F65D4517DA7396BBC8B44F848039DA0783624DE2DD646CB00

Function 000000013FF821D0 Relevance: 3.0, APIs: 2, Instructions: 21COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 000000013FF82200

Part of subcall function 000000013FF82F7C: std::bad_alloc::bad_alloc.LIBCMT ref: 000000013FF82F85

Concurrency::cancel_current_task.LIBCPMT ref: 000000013FF82206

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: Concurrency::cancel_current_task$std::bad_alloc::bad_alloc
String ID:
API String ID: 1173176844-0
Opcode ID: ac554a43d54612151bc7e480101717375080be3004ee5b366f50feb51e7139dd
Instruction ID: 9eb3fbe7a34335b4a50b3b94feb11b0b10dcf52c0e0fa214a5b4bb5097459b99
Opcode Fuzzy Hash: ac554a43d54612151bc7e480101717375080be3004ee5b366f50feb51e7139dd
Instruction Fuzzy Hash: 39E01773F0252945FE287272982A3F40C8C4F29370E2C1B3CDE36482D2AE24E7939210

Function 000000013FF852EC Relevance: 3.0, APIs: 2, Instructions: 18memoryCOMMON

Download Yara Rule

APIs

__vcrt_FlsAlloc.LIBVCRUNTIME ref: 000000013FF852F7
__vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 000000013FF85327

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: Alloc__vcrt___vcrt_uninitialize_ptd
String ID:
API String ID: 3765095794-0
Opcode ID: b626eb9a3b6ada7a78012530218f632c6a75038fb9b1341251fc2fb1ecdc57fa
Instruction ID: f4e885255cf988fb43ac90740adf97b030488b34e72f62ac27105ff87e8c9cc8
Opcode Fuzzy Hash: b626eb9a3b6ada7a78012530218f632c6a75038fb9b1341251fc2fb1ecdc57fa
Instruction Fuzzy Hash: 7BE04F77D10A20D2FA106B349C853F82E5A6B41330FD4163CDC29862E2DBB4CB47D750

Function 000000013FF8D90C Relevance: 2.5, APIs: 2, Instructions: 19memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 000000013FF8D922
GetLastError.KERNEL32 ref: 000000013FF8D934

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 7829e02dcbd74b51c5e196648e5aad52518f68633834b7095f7e5950a32ae739
Instruction ID: 6e017697516e95d06e9f42e9ced937efb18a68749daa5ac596941cdc938463ed
Opcode Fuzzy Hash: 7829e02dcbd74b51c5e196648e5aad52518f68633834b7095f7e5950a32ae739
Instruction Fuzzy Hash: D3E0EC73E0155546FF18AFB298453ED16D95F94B55F44403CCD0986392EA288A87C600

Function 000000013FF533E4 Relevance: 1.8, APIs: 1, Instructions: 328COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF5388C

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: deae3c916c444cfeab86934886f13cb992ac779b5b91c30a9f2379e968adca9b
Instruction ID: 634be8ff8dd2e16365be58a56f93a93640c67fd58b9baedc9bc9c2af34b5d8f5
Opcode Fuzzy Hash: deae3c916c444cfeab86934886f13cb992ac779b5b91c30a9f2379e968adca9b
Instruction Fuzzy Hash: 74D18B73B04680D6FB688B2996883E9ABAAF705F94F04043ECF5D477A5CB34D666C700

Function 000000013FF65294 Relevance: 1.7, APIs: 1, Instructions: 198COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF6551B

Part of subcall function 000000013FF713F4: CompareStringW.KERNEL32 ref: 000000013FF7145A

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: CompareString_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1017591355-0
Opcode ID: f77260627b75add95ca9d2c0935e9610f9349842e6d8a2c52f671b725446453a
Instruction ID: c19ee01f88703691be4b4dce601ae6c6ff5ce1aa37ab2020588891449f4c6869
Opcode Fuzzy Hash: f77260627b75add95ca9d2c0935e9610f9349842e6d8a2c52f671b725446453a
Instruction Fuzzy Hash: 47614733E1464581FE649A3584653FE669EAB41FF4F1C423DAE4977AC6EE78C6438300

Function 000000013FF71870 Relevance: 1.7, APIs: 1, Instructions: 172COMMON

Download Yara Rule

APIs

Part of subcall function 000000013FF6E948: ReleaseSemaphore.KERNEL32 ref: 000000013FF6E974
Part of subcall function 000000013FF6E948: CloseHandle.KERNELBASE ref: 000000013FF6E993
Part of subcall function 000000013FF6E948: DeleteCriticalSection.KERNEL32 ref: 000000013FF6E9AA
Part of subcall function 000000013FF6E948: CloseHandle.KERNEL32 ref: 000000013FF6E9B7

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF71ACB

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: CloseHandle$CriticalDeleteReleaseSectionSemaphore_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 904680172-0
Opcode ID: 64e4c0b27db856b2e1557b0c40e73339b2e4437797481325bfee9d1e55471a1b
Instruction ID: c1dcc8ca51fa04f1f21504ec668155b4baab049fa8e27822acdff02aa643b5c5
Opcode Fuzzy Hash: 64e4c0b27db856b2e1557b0c40e73339b2e4437797481325bfee9d1e55471a1b
Instruction Fuzzy Hash: F0616C73B11A84A2FE08EF65D5543ECB369FB40BD4F54423AEF2947A85CF64D66A8300

Function 000000013FF5EC9C Relevance: 1.6, APIs: 1, Instructions: 145COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF5EEB8

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: ee4693f2c48cedbc51ad7bc029ee064e32ea8ec3cb116d2b04c7847efbfa9451
Instruction ID: 0af7f90209df9aee8286023f889af59ac7ea316f64285743e6e63e7859ee349d
Opcode Fuzzy Hash: ee4693f2c48cedbc51ad7bc029ee064e32ea8ec3cb116d2b04c7847efbfa9451
Instruction Fuzzy Hash: 4B51BE73A10A8081FA149B26E4493DD2B99F786BD8F44013AEE4D07796DF7DC686C304

Function 000000013FF5E7A8 Relevance: 1.6, APIs: 1, Instructions: 118COMMON

Download Yara Rule

APIs

Part of subcall function 000000013FF63EC8: FindClose.KERNELBASE(?,?,00000000,000000013FF70811), ref: 000000013FF63EFD

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF5E993

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: CloseFind_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1011579015-0
Opcode ID: e8163c2a7431a384f10e23062ae674c5baa781d2f4b04224e71daf838b7b6f9c
Instruction ID: ee86bea57d88025741b58404f93691a95857aad7e7190dcfd366113d89ad7a60
Opcode Fuzzy Hash: e8163c2a7431a384f10e23062ae674c5baa781d2f4b04224e71daf838b7b6f9c
Instruction Fuzzy Hash: ED513D33A14684C2FB609F65D4893DD63A9F785B98F44013AEE8D4B7A5DF28CA43C718

Function 000000013FF61794 Relevance: 1.6, APIs: 1, Instructions: 115COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF6187D

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: 1d654c8d03723e7a52e8c6ec94e86296d18edc9530b95e6b5aacb605859593f9
Instruction ID: 76f6358208ddeff49a7c98250361a45c83bde122b2466c157141ab22deade09e
Opcode Fuzzy Hash: 1d654c8d03723e7a52e8c6ec94e86296d18edc9530b95e6b5aacb605859593f9
Instruction Fuzzy Hash: 5441C673B14A9042EF149A27EA443A9A659F784FD0F448539EE8C47F5ADF78C6928340

Function 000000013FF62F58 Relevance: 1.6, APIs: 1, Instructions: 100COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF630C8

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: cab7c8e5bf3294768a5d9aacc8301bc09f4a461291b50e69aa2630182cdd03d2
Instruction ID: 9eb5f79aaf7b147d53e544e3cc65aaaa89721b632a87c733909a537b6ab43459
Opcode Fuzzy Hash: cab7c8e5bf3294768a5d9aacc8301bc09f4a461291b50e69aa2630182cdd03d2
Instruction Fuzzy Hash: 0541DD73A00B5481FE149B39E5453AA23A5E789BE8F141239EE49077AADF39C6868740

Function 000000013FF8BDF8 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 000000013FF8BE20

Part of subcall function 000000013FF8BFB0: GetModuleHandleExW.KERNEL32 ref: 000000013FF8BFD0
Part of subcall function 000000013FF8BFB0: GetProcAddress.KERNEL32 ref: 000000013FF8BFE6
Part of subcall function 000000013FF8BFB0: FreeLibrary.KERNEL32 ref: 000000013FF8C00B

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: HandleModule$AddressFreeLibraryProc
String ID:
API String ID: 3947729631-0
Opcode ID: 5b4d6432c9ab27f48bf344f41163fa66ca8822e5b5ed34cf2c0174bd429b5c6d
Instruction ID: 54b607a89ff5251efc099be7139e753f2e4759d41f7c4633adb594795c344f78
Opcode Fuzzy Hash: 5b4d6432c9ab27f48bf344f41163fa66ca8822e5b5ed34cf2c0174bd429b5c6d
Instruction Fuzzy Hash: 0941F133E1062086FB24DB14D9903E92BA9A799B40F44443EDF2A5B7E1EB39CE47C740

Function 000000013FF5129C Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 000000013FF51396

Part of subcall function 000000013FF51F80: std::bad_alloc::bad_alloc.LIBCMT ref: 000000013FF51F89

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: Concurrency::cancel_current_taskstd::bad_alloc::bad_alloc
String ID:
API String ID: 680105476-0
Opcode ID: c531f2d93e59bc2c3255c3b03e21e7a52a1bb814650bbdd6308fec67296c0182
Instruction ID: 89b77ab24fd4522c1744a4b825f4586d63fa82ba542b641a70d73c41cbdcf897
Opcode Fuzzy Hash: c531f2d93e59bc2c3255c3b03e21e7a52a1bb814650bbdd6308fec67296c0182
Instruction Fuzzy Hash: 7C21B333A00750C5EA14AF92E4183E96658F705FF0F680B389F7D57BD1DAB8E6928344

Function 000000013FF53AD8 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF53B6C

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: 8fc652ac7c959a295c7730ce90c0f7499c45745d6b82b8dbd8efa7802d42d794
Instruction ID: f645a3a67293f48c0528c26034f4d1fd0e24852e9edac33720fe3aafe75800b7
Opcode Fuzzy Hash: 8fc652ac7c959a295c7730ce90c0f7499c45745d6b82b8dbd8efa7802d42d794
Instruction Fuzzy Hash: E50180B3E14AC491FE119B28E4453997366F789B94F805229EEDC07BA6EF68D2428704

Function 000000013FF81558 Relevance: 1.5, APIs: 1, Instructions: 38COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 000000013FF81604: GetModuleHandleW.KERNEL32(?,?,?,000000013FF81573,?,?,?,000000013FF8192A), ref: 000000013FF8162B

DloadProtectSection.DELAYIMP ref: 000000013FF815C9

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: DloadHandleModuleProtectSection
String ID:
API String ID: 2883838935-0
Opcode ID: 902d746097657f35995c40355b3f554eba39218e3fb79a70aefbb70b68ceb6fd
Instruction ID: 8014e46e4ef55960ebe763c8610d1e8dec3c945d6d2fe98a5e07142ddb4d5811
Opcode Fuzzy Hash: 902d746097657f35995c40355b3f554eba39218e3fb79a70aefbb70b68ceb6fd
Instruction Fuzzy Hash: 74111273E1461881FB64AB05EA853D0279CA794F58F18013CCD0A4B3B5EB388F97C710

Function 000000013FF63EC8 Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 000000013FF640BC: FindFirstFileW.KERNELBASE ref: 000000013FF6410B
Part of subcall function 000000013FF640BC: FindFirstFileW.KERNEL32 ref: 000000013FF6415E
Part of subcall function 000000013FF640BC: GetLastError.KERNEL32 ref: 000000013FF641AF

FindClose.KERNELBASE(?,?,00000000,000000013FF70811), ref: 000000013FF63EFD

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: Find$FileFirst$CloseErrorLast
String ID:
API String ID: 1464966427-0
Opcode ID: 18fe74ab7ca813274cb64c08179860cc48efc587ad39327f0b25563dc18ddab5
Instruction ID: b19a895a067a45cf775019a167a8288e864ed64219d65ef86b50a77a84d9a22e
Opcode Fuzzy Hash: 18fe74ab7ca813274cb64c08179860cc48efc587ad39327f0b25563dc18ddab5
Instruction Fuzzy Hash: E9F0C27390428085EA54AFB5A2013D93764971ABB4F14133CAE3A073C7CE24C586C745

Function 000000013FF8D94C Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL ref: 000000013FF8D98A

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 5fa632deebd8181b9f3ea37834cf4eccbda839d7d0d6f948310c23224b4a93e7
Instruction ID: 9ad1d5697055dadf452563244f0d454fb5de12ed46d329a733884f66dc0def7e
Opcode Fuzzy Hash: 5fa632deebd8181b9f3ea37834cf4eccbda839d7d0d6f948310c23224b4a93e7
Instruction Fuzzy Hash: B1F0A033F012A454FF646FB158553ED1E985F847A4F08163CDD2A863C1DE28CA838210

Function 000000013FF6273C Relevance: 1.5, APIs: 1, Instructions: 18fileCOMMON

Download Yara Rule

APIs

SetEndOfFile.KERNELBASE ref: 000000013FF62755

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: File
String ID:
API String ID: 749574446-0
Opcode ID: 7793d0dfaf1bed477703e517dfb550f1e48d00439aedf8bd4eeb9f79e866bcb3
Instruction ID: 054d705549f475647b938e6fb612d5f826bd0f27f847298e79924704865d25e3
Opcode Fuzzy Hash: 7793d0dfaf1bed477703e517dfb550f1e48d00439aedf8bd4eeb9f79e866bcb3
Instruction Fuzzy Hash: CCE0C223B2051482EF20AB3AC842B991324EB8DFC4F8810348E0C07371CE29C596CA00

Function 000000013FF8D580 Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

__vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 000000013FF8D5AB

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: __vcrt_uninitialize_ptd
String ID:
API String ID: 1180542099-0
Opcode ID: ce8e2ffe289f7fce94720d68f3ba514a3dbdfcf06443afd0443132baf869d67a
Instruction ID: 3fe39ffbc9e36f73510a1bd9768d8e471a5aa97c453af4b3efc6676f47f53713
Opcode Fuzzy Hash: ce8e2ffe289f7fce94720d68f3ba514a3dbdfcf06443afd0443132baf869d67a
Instruction Fuzzy Hash: 1AE01273D1213094FE646B3054867EC1A5C2F1571CF90093EDD164A3D2E72487475A10

Function 000000013FF62490 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE ref: 000000013FF624A2

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: df9a28314c6b6fddfb177ebf539387614dcb0363737e1ba4f38fe55c4f903e1a
Instruction ID: 88852df6a09b9446f4f6074f265d219cc3eded0c419d742a454713727063a99c
Opcode Fuzzy Hash: df9a28314c6b6fddfb177ebf539387614dcb0363737e1ba4f38fe55c4f903e1a
Instruction Fuzzy Hash: 5FD01233D0144082DD1097369C923AD2354AB92735FB40714DA3A816E2CE1DC697A311

Function 000000013FF67FC4 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

SetCurrentDirectoryW.KERNELBASE ref: 000000013FF67FD2

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: 176ab68ebee512dad0278907058cd855c5c44f8615b79807412a7d406b36e525
Instruction ID: 25d916a43c7c912c3afd3c7dfb4b99822d623809f6e04952b0f15cf153495b97
Opcode Fuzzy Hash: 176ab68ebee512dad0278907058cd855c5c44f8615b79807412a7d406b36e525
Instruction Fuzzy Hash: D5C04C32F15501C1DA089B26C9CA74913A9B754B15FA54129D90981270DE29C6EB9785

Function 000000013FF620D0 Relevance: 1.3, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE ref: 000000013FF620F6

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: ccbd9008d2c4ce7168f8d058ff2f34620ae6bf54bfe45a0cbca9d6a6f1a7c065
Instruction ID: 1fba9aaf451822fc74a427bacb20e072528fed0eafb1675719ee2125144ca135
Opcode Fuzzy Hash: ccbd9008d2c4ce7168f8d058ff2f34620ae6bf54bfe45a0cbca9d6a6f1a7c065
Instruction Fuzzy Hash: 58F0CD33A0968585FF248F30E1413A92768E314BB8F484329EF38852D8DF28CA97C300

Non-executed Functions

Function 000000013FF5C2F0 Relevance: 49.8, APIs: 24, Strings: 4, Instructions: 754fileCOMMON

Download Yara Rule

APIs

Part of subcall function 000000013FF5DE04: GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,000000013FF5CF4B), ref: 000000013FF5DE27
Part of subcall function 000000013FF5DE04: GetLastError.KERNEL32 ref: 000000013FF5DE88
Part of subcall function 000000013FF5DE04: CloseHandle.KERNEL32 ref: 000000013FF5DE9B

wcscpy.LIBCMT ref: 000000013FF5CBC8
wcscpy.LIBCMT ref: 000000013FF5CBFE
CreateFileW.KERNEL32 ref: 000000013FF5CC38
DeviceIoControl.KERNEL32 ref: 000000013FF5CD01
CloseHandle.KERNEL32 ref: 000000013FF5CD12
GetLastError.KERNEL32 ref: 000000013FF5CD2E
RemoveDirectoryW.KERNEL32 ref: 000000013FF5CD7D
DeleteFileW.KERNEL32 ref: 000000013FF5CD88
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF5CE89
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF5CE8F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF5CE9B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF5CEA1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF5CEAD
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF5CEB3
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF5CEB9
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF5CEBF
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF5CEC5
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF5CECB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF5CED1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF5CED7

Strings

UNC\, xrefs: 000000013FF5C53F, 000000013FF5C55D
SeCreateSymbolicLinkPrivilege, xrefs: 000000013FF5C34F
\??\, xrefs: 000000013FF5C392, 000000013FF5C3B8
SeRestorePrivilege, xrefs: 000000013FF5C343

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$CloseErrorFileHandleLastwcscpy$ControlCreateCurrentDeleteDeviceDirectoryProcessRemove
String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
API String ID: 2659423929-3508440684
Opcode ID: 2b29d3339ab04c1a7270bf370d50b6fd8c35a30e2b651de71bed7b22e0c2bcde
Instruction ID: 460eadae20b32894396cd7880fdc96c56a479f45b04a6952e67c16b9cc067d88
Opcode Fuzzy Hash: 2b29d3339ab04c1a7270bf370d50b6fd8c35a30e2b651de71bed7b22e0c2bcde
Instruction Fuzzy Hash: 34629E73F10A9085FB00DBB4D4893DD2769E7857A8F50422ADE6D57AEADF74C68AC300

Function 000000013FF6F180 Relevance: 43.2, APIs: 22, Strings: 2, Instructions: 1205COMMON

Download Yara Rule

APIs

_Init_thread_footer.LIBCMT ref: 000000013FF70528

Part of subcall function 000000013FF6AAE0: LoadStringW.USER32 ref: 000000013FF6AB67
Part of subcall function 000000013FF6AAE0: LoadStringW.USER32 ref: 000000013FF6AB80

Part of subcall function 000000013FF7B0DC: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,000000013FF70429), ref: 000000013FF7B110
Part of subcall function 000000013FF7B0DC: SetLastError.KERNEL32 ref: 000000013FF7B153

Part of subcall function 000000013FF5129C: Concurrency::cancel_current_task.LIBCPMT ref: 000000013FF51396

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF70490
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF70496
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF7049C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF704A2
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF704A8
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF704AE
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF704B4
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF704BA
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF704C0
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF704C6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF704CC
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF704D2
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF704D8
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF704DE
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF704E4
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF704EA
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF704F0
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF704F6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF70532
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF70538

Strings

%s: %s, xrefs: 000000013FF6FC11
%ls, xrefs: 000000013FF6F3AC, 000000013FF6F3FF

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$ErrorLastLoadString$Concurrency::cancel_current_taskInit_thread_footer
String ID: %ls$%s: %s
API String ID: 2539828978-2259941744
Opcode ID: ad02539a7615a4da39f249392d2b6a9ba509cbab837690a24a6727856c9cddba
Instruction ID: f40804b097a89f2d26a256cedc37e0e051028affa947d1162a1f6f37bf1664cd
Opcode Fuzzy Hash: ad02539a7615a4da39f249392d2b6a9ba509cbab837690a24a6727856c9cddba
Instruction Fuzzy Hash: 40B27773A1468182EA109F25D4553EEA319FBD67D0F10433AAE9D47BEAEF68C746C700

Function 000000013FF92550 Relevance: 22.3, APIs: 8, Strings: 4, Instructions: 1310COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000000013FF92C12
memcpy_s.LIBCMT ref: 000000013FF935BF
memcpy_s.LIBCMT ref: 000000013FF93666

Part of subcall function 000000013FF938BC: _invalid_parameter_noinfo.LIBCMT ref: 000000013FF938EE

memcpy_s.LIBCMT ref: 000000013FF9372F

Part of subcall function 000000013FF8D008: _invalid_parameter_noinfo.LIBCMT ref: 000000013FF8D02D

Strings

1#IND, xrefs: 000000013FF937AA
1#SNAN, xrefs: 000000013FF937C9
1#INF, xrefs: 000000013FF93807
1#QNAN, xrefs: 000000013FF937E8

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: _invalid_parameter_noinfomemcpy_s
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 1759834784-2761157908
Opcode ID: c1568b5568d689d261f1f0b975b9c1104ab10acfc5286cd5346a40821ab4f9bc
Instruction ID: a4a39caccf6f3b86f5ee1c1f221a174397509cff130440ca14e2b5b916a94c7c
Opcode Fuzzy Hash: c1568b5568d689d261f1f0b975b9c1104ab10acfc5286cd5346a40821ab4f9bc
Instruction Fuzzy Hash: 41B2C173E002918BE7758E69D840BEE3BA9F38878CF50513DDE1657B98DB35CA068B40

Function 000000013FF61A48 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 375fileCOMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32 ref: 000000013FF61A97
GetLongPathNameW.KERNEL32 ref: 000000013FF61AE0
GetShortPathNameW.KERNEL32 ref: 000000013FF61B21
GetShortPathNameW.KERNEL32 ref: 000000013FF61B6A

Part of subcall function 000000013FF713C4: CompareStringW.KERNEL32 ref: 000000013FF713E3

MoveFileW.KERNEL32 ref: 000000013FF61DFE
MoveFileW.KERNEL32 ref: 000000013FF61E65

Part of subcall function 000000013FF62134: CreateFileW.KERNEL32 ref: 000000013FF6223C

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF61FE1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF61FE7
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF61FED

Strings

rtmp, xrefs: 000000013FF61CF4, 000000013FF61D03

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: NamePath$File_invalid_parameter_noinfo_noreturn$LongMoveShort$CompareCreateString
String ID: rtmp
API String ID: 3587137053-870060881
Opcode ID: 46720b277ee4ca4cb7735330bedb27dc610672b28b4e4f5b2232f8dc8f14668d
Instruction ID: 57a3ae537b60dd336bef8a7d4d22f3657a11b6a5ee5aacb5c33b054af5325204
Opcode Fuzzy Hash: 46720b277ee4ca4cb7735330bedb27dc610672b28b4e4f5b2232f8dc8f14668d
Instruction Fuzzy Hash: DEF1D233B00A8081EB10EB75D4843DE67B5F7857E4F50122AEE8D43AA9DF38C686C740

Function 000000013FF65B60 Relevance: 12.3, APIs: 8, Instructions: 256COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32 ref: 000000013FF65BC2
GetFullPathNameW.KERNEL32 ref: 000000013FF65C0E
GetFullPathNameW.KERNEL32 ref: 000000013FF65D2B
GetFullPathNameW.KERNEL32 ref: 000000013FF65D70
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF65EE0
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF65EE6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF65EEC
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF65EF2

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: FullNamePath_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1693479884-0
Opcode ID: 9da81c3bc7566f90a4d86f7365aa6446543d628d65e0ea004da70b429abed106
Instruction ID: 7e260c1ddeac3f64ee9584eee10263484d72200e21243c47adc06537800aebc4
Opcode Fuzzy Hash: 9da81c3bc7566f90a4d86f7365aa6446543d628d65e0ea004da70b429abed106
Instruction Fuzzy Hash: 02A19273F11B6085FF108BB9D9443ED2365A795BE4F585229DE2A27BD9DE74C283C200

Function 000000013FF83170 Relevance: 10.6, APIs: 7, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 000000013FF8318C
RtlCaptureContext.KERNEL32 ref: 000000013FF831B9
RtlLookupFunctionEntry.KERNEL32 ref: 000000013FF831D3
RtlVirtualUnwind.KERNEL32 ref: 000000013FF83214
IsDebuggerPresent.KERNEL32 ref: 000000013FF83268
SetUnhandledExceptionFilter.KERNEL32 ref: 000000013FF83289
UnhandledExceptionFilter.KERNEL32 ref: 000000013FF83294

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: eb4060bcbbf6947450414bc0ac192b8da1feec02df413969c5a674799d26ef14
Instruction ID: 08c02068cc454cddd9b235bfedfb05704c60a87fd6fbfbf3ccc31694349f6a07
Opcode Fuzzy Hash: eb4060bcbbf6947450414bc0ac192b8da1feec02df413969c5a674799d26ef14
Instruction Fuzzy Hash: E8315973604B909AEB608F60E8507EE7768F784B48F84443EDE4E57A98EF78C649C710

Function 000000013FF876D8 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 000000013FF87751
RtlLookupFunctionEntry.KERNEL32 ref: 000000013FF87769
RtlVirtualUnwind.KERNEL32 ref: 000000013FF877A4
IsDebuggerPresent.KERNEL32 ref: 000000013FF877DD
SetUnhandledExceptionFilter.KERNEL32 ref: 000000013FF877E7
UnhandledExceptionFilter.KERNEL32 ref: 000000013FF877F2

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 5940ef1d6d2c32beaf7af9e8e0892e721e3d30544378453b8f42f9f5775f8da8
Instruction ID: 6c636af7861857ca3327a5032b2928d11d54361aa56d83d8debfa23152fc7edc
Opcode Fuzzy Hash: 5940ef1d6d2c32beaf7af9e8e0892e721e3d30544378453b8f42f9f5775f8da8
Instruction Fuzzy Hash: 0B315E33614B9096EB60CF25E8407DE77A8F788B54F540129EE9D43B99EF38C656CB00

Function 000000013FF51AA4 Relevance: 6.3, APIs: 4, Instructions: 285COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF51EA9
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF51EAF
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF51EB5
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF51EBB

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: 300dd9cc50a5c7816435619c3f5343720d80d9ae4efb6ade2117f3cf4a891e63
Instruction ID: 88d5157198a7235f124ab7793e65aae37390ac8e8f6d28820c76ba166f7971f5
Opcode Fuzzy Hash: 300dd9cc50a5c7816435619c3f5343720d80d9ae4efb6ade2117f3cf4a891e63
Instruction Fuzzy Hash: E3B1BF73B10A9496EB10AF65D8483DE2365F7897D8F505229EE5D07BA9EF38D642C300

Function 000000013FF8FA94 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 164COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000000013FF8FAC4

Part of subcall function 000000013FF87934: GetCurrentProcess.KERNEL32(000000013FF90CCD), ref: 000000013FF87961

Strings

*?, xrefs: 000000013FF8FAEB
., xrefs: 000000013FF8FEE4

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: CurrentProcess_invalid_parameter_noinfo
String ID: *?$.
API String ID: 2518042432-3972193922
Opcode ID: f96344909874f118cd7fc652812aee2de17a0b901a5c412331694f6fbd6e8fc4
Instruction ID: a1cea1e974561325173d300ebecf886d0c4ad7b8942a1e15027de752315acff3
Opcode Fuzzy Hash: f96344909874f118cd7fc652812aee2de17a0b901a5c412331694f6fbd6e8fc4
Instruction Fuzzy Hash: FD51B473B11AA449EF10DFA2E8107ED6BA8FB48BD8F544539DE5917B85DA38C6438300

Function 000000013FF92080 Relevance: 4.8, APIs: 3, Instructions: 340COMMONLIBRARYCODE

Download Yara Rule

APIs

memcpy_s.LIBCMT ref: 000000013FF9210B

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: memcpy_s
String ID:
API String ID: 1502251526-0
Opcode ID: b531b63a04a12e36dec63d06dc2411054f876835da8b044adf2bb9f605172619
Instruction ID: 95c822bb3e478e7243c4fe255bc125d522f977669741ac83309d47674cd2fe25
Opcode Fuzzy Hash: b531b63a04a12e36dec63d06dc2411054f876835da8b044adf2bb9f605172619
Instruction Fuzzy Hash: 87D1C133B1568587EBB4CF15E188BAAB7A9F398784F148138DF4A57B44D738DA46CB00

Function 000000013FF5B6D8 Relevance: 4.5, APIs: 3, Instructions: 36windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,?,?,?,?,000000013FF5BA9D), ref: 000000013FF5B6E5
FormatMessageW.KERNEL32 ref: 000000013FF5B719
LocalFree.KERNEL32(?,?,?,?,?,?,?,000000013FF5BA9D), ref: 000000013FF5B743

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: ErrorFormatFreeLastLocalMessage
String ID:
API String ID: 1365068426-0
Opcode ID: c27e05edbcf0c556cf9f4b9f4aa6354f64d9dc72ff0f252d3a2ededa039666af
Instruction ID: d65642989c5b842be871ebfb78d0bc0bee207db6dc1bff221ddbac3f5d46bcb8
Opcode Fuzzy Hash: c27e05edbcf0c556cf9f4b9f4aa6354f64d9dc72ff0f252d3a2ededa039666af
Instruction Fuzzy Hash: 7401FF72608B4182E7109F22B9553AB6799F789BC0F484038AE8E47B99CE38C616CB00

Function 000000013FF8FCA0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 97COMMON

Download Yara Rule

Strings

., xrefs: 000000013FF8FEE4

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: c6a507b225cd4218212adc004c755bbf20f968de81e7d05236a270c9e1509e97
Instruction ID: 867fee5739ecdc7ec1c9c0fecc51557a32a41816199411bfcc29623122cab136
Opcode Fuzzy Hash: c6a507b225cd4218212adc004c755bbf20f968de81e7d05236a270c9e1509e97
Instruction Fuzzy Hash: 6831FB33B106A049FB209B36E8057DA7E95B795FE4F148239DF5847BC5DA38C6038300

Function 000000013FF95AF8 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE

Download Yara Rule

APIs

_clrfp.LIBCMT ref: 000000013FF95D45
RaiseException.KERNEL32 ref: 000000013FF95D56

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: ExceptionRaise_clrfp
String ID:
API String ID: 15204871-0
Opcode ID: 131550a8e914c8a4384a7255cc8ec53066b4dff0b7ecc1394be8dfb6b4310eca
Instruction ID: d403ae90d734a446e9862ba7a556967cc289086959e7b30ccd99a639cc36965d
Opcode Fuzzy Hash: 131550a8e914c8a4384a7255cc8ec53066b4dff0b7ecc1394be8dfb6b4310eca
Instruction Fuzzy Hash: 65B12D77610B888BEB19CF29C8463AD7BE4F384B58F198926DF59877A4CB39C552C700

Function 000000013FF78DF4 Relevance: 3.2, APIs: 2, Instructions: 186COMMON

Download Yara Rule

APIs

Part of subcall function 000000013FF785E0: GetDC.USER32 ref: 000000013FF785EC
Part of subcall function 000000013FF785E0: GetDeviceCaps.GDI32 ref: 000000013FF785FD
Part of subcall function 000000013FF785E0: ReleaseDC.USER32 ref: 000000013FF7860A

GetObjectW.GDI32 ref: 000000013FF78E48

Part of subcall function 000000013FF790B0: GetDC.USER32 ref: 000000013FF790D9
Part of subcall function 000000013FF790B0: GetObjectW.GDI32 ref: 000000013FF79107
Part of subcall function 000000013FF790B0: ReleaseDC.USER32 ref: 000000013FF791BB

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: ObjectRelease$CapsDevice
String ID:
API String ID: 1061551593-0
Opcode ID: 68dbe16693602acb82a0a9c061fd0d735b77194d41f4ab9e90264308bb487059
Instruction ID: 81945823ece2f6e6b3cf0f5967938ed4441689b07eef84a027a4d609f1825289
Opcode Fuzzy Hash: 68dbe16693602acb82a0a9c061fd0d735b77194d41f4ab9e90264308bb487059
Instruction Fuzzy Hash: 2E81F637B14A0486EB208F6AE94079D7779F788F98F50412ADE0D97B68DF39C64AC740

Function 000000013FF7A2CC Relevance: 3.0, APIs: 2, Instructions: 46COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32 ref: 000000013FF7A315
GetNumberFormatW.KERNEL32 ref: 000000013FF7A371

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: FormatInfoLocaleNumber
String ID:
API String ID: 2169056816-0
Opcode ID: a0c8fcaef59427837b2a7c7753e3d717a8442860a15e47712294eddcbb527c28
Instruction ID: d7f7d8607c4c0a6006e4383b83c9a7e9ab924c3e022162ed3f53dc294ecb7a83
Opcode Fuzzy Hash: a0c8fcaef59427837b2a7c7753e3d717a8442860a15e47712294eddcbb527c28
Instruction Fuzzy Hash: E5111933A14B8496E7618F21E8507DA7368FB88B84F844139EF4953768EF38C64ACB44

Function 000000013FF6126C Relevance: 1.7, APIs: 1, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 000000013FF624C0: CreateFileW.KERNELBASE ref: 000000013FF6259B
Part of subcall function 000000013FF624C0: GetLastError.KERNEL32 ref: 000000013FF625AE
Part of subcall function 000000013FF624C0: CreateFileW.KERNEL32 ref: 000000013FF6260E
Part of subcall function 000000013FF624C0: GetLastError.KERNEL32 ref: 000000013FF62617

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF615D0

Part of subcall function 000000013FF63980: MoveFileW.KERNEL32 ref: 000000013FF639BD
Part of subcall function 000000013FF63980: MoveFileW.KERNEL32 ref: 000000013FF63A34

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: File$CreateErrorLastMove$_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 34527147-0
Opcode ID: f8f20fe289e50002a0a54c88778f70f50b297ae81d229b3573a39973a23deb87
Instruction ID: 9227ead262ab2334fd2b32303ef811a1bb461523f43da6a5031780448c13ed6d
Opcode Fuzzy Hash: f8f20fe289e50002a0a54c88778f70f50b297ae81d229b3573a39973a23deb87
Instruction Fuzzy Hash: 3A919D33B20A4482EB50EB76D4853DE6369F795FD8F40402AAE4E57BA5DF38C64AC740

Function 000000013FF64EB0 Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32 ref: 000000013FF64EE2

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: 5e1f820920c456f15e44ae9d5f0cc3b6f822566f542002a6e47536c5256bfc9c
Instruction ID: 2583f7a22f4c5fb9ec06a59dcf9021b4a6764dac0619645b20ee0ec48716f426
Opcode Fuzzy Hash: 5e1f820920c456f15e44ae9d5f0cc3b6f822566f542002a6e47536c5256bfc9c
Instruction Fuzzy Hash: BB01F473D499858AFA31AB30B4257D63798A3A9725F44113CDD98073A1CB3C9B8BCF04

Function 000000013FF88C1C Relevance: 1.5, Strings: 1, Instructions: 219COMMONLIBRARYCODE

Download Yara Rule

Strings

0, xrefs: 000000013FF88DD3

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: 0
API String ID: 3215553584-4108050209
Opcode ID: 0fbd957179d89af9e1d3453d65279f22830f04fe064c784c04e338e6c7bf3646
Instruction ID: 3cead3af8d7dfba9b208df4a1e70a6c1f8fb849fc19733a57db6757d48431150
Opcode Fuzzy Hash: 0fbd957179d89af9e1d3453d65279f22830f04fe064c784c04e338e6c7bf3646
Instruction Fuzzy Hash: 09810433B1026146FBB88E2586807ED2BE9E751B48F54193DDD029BB99E735CB4BC740

Function 000000013FF889A0 Relevance: 1.4, Strings: 1, Instructions: 199COMMONLIBRARYCODE

Download Yara Rule

Strings

0, xrefs: 000000013FF88B3A

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: 0
API String ID: 3215553584-4108050209
Opcode ID: a261a21fa45f21d734edfefcd2ffe271b1157111beaf653bc061adca1a26389c
Instruction ID: 8be7442bd21fdcfe14da5149320ba471e56423d79dbb032cec34a46ca392c2e3
Opcode Fuzzy Hash: a261a21fa45f21d734edfefcd2ffe271b1157111beaf653bc061adca1a26389c
Instruction Fuzzy Hash: 76712733A052B056FBB88A2986803EE2FD8A781B44F18597DDD419B7EAC725CB47C741

Function 000000013FF6C96C Relevance: 1.4, Strings: 1, Instructions: 142COMMON

Download Yara Rule

Strings

gj, xrefs: 000000013FF6C97B

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID:
String ID: gj
API String ID: 0-4203073231
Opcode ID: 226aa63bfce789330e15763d8953fb7d553c3450d9c1aa6f260de1088bdface5
Instruction ID: f637a4b61fc7bd6cad6b7faad0e2c5ad4ae8af100f868604f958a3c317668b08
Opcode Fuzzy Hash: 226aa63bfce789330e15763d8953fb7d553c3450d9c1aa6f260de1088bdface5
Instruction Fuzzy Hash: 2451B3377246908BD724CF25E404A9E77A5F388758F45511AEF8A93F09CB39DA45CF40

Function 000000013FF8C838 Relevance: 1.4, Strings: 1, Instructions: 139COMMON

Download Yara Rule

Strings

@, xrefs: 000000013FF8C874

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 49e7fa989fc271adaa8e130b28d1cae0d9f82f392019a5f874cdac11a507a941
Instruction ID: 2a2f9556701e6a8ab4dbbd60502f2f46b42d51a4c30df0a7b2d657199e74c3af
Opcode Fuzzy Hash: 49e7fa989fc271adaa8e130b28d1cae0d9f82f392019a5f874cdac11a507a941
Instruction Fuzzy Hash: C841AC73720A9486EE04CF2AE9543D97BA9A358FD4F49903ADF0D87754EA3CC686C300

Function 000000013FF90D20 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000000013FF90D24

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 4ce929ddb23f73c0a8458b43b9ad49d4d7e2a2f746430c3d48bba7e89996d797
Instruction ID: 67eca5ec4ff1d79953695c30f467d78128d20735560fbe3c8109e0d06133b3cb
Opcode Fuzzy Hash: 4ce929ddb23f73c0a8458b43b9ad49d4d7e2a2f746430c3d48bba7e89996d797
Instruction Fuzzy Hash: 30B09231E13A04C2EA082B116D8238822E8BB48740FE8806DC90C91320DA2C0AA68700

Function 000000013FF73964 Relevance: .9, Instructions: 931COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1df1e6e81a57214c8643d36be1bb9cde3812740f73d4ab830297bee2ffae98a2
Instruction ID: 2e17112648d7e15954d682b80cf2650cafd958757b7117f531d29f4004e0766f
Opcode Fuzzy Hash: 1df1e6e81a57214c8643d36be1bb9cde3812740f73d4ab830297bee2ffae98a2
Instruction Fuzzy Hash: BC8217B7A05AC086D715CF28D4447ECBBA5E355FC8F19823EDE9A87395E638C64AC310

Function 000000013FF576C0 Relevance: .9, Instructions: 893COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb6bb4a62616f0bcd3e2e2126cd32946fe2ad160a7c0dbd4e5bd03ed1428d6a6
Instruction ID: 8ae18ff76960cb9ecfaa206c9556025bc1c3d85606905e87fae24a52579d077e
Opcode Fuzzy Hash: fb6bb4a62616f0bcd3e2e2126cd32946fe2ad160a7c0dbd4e5bd03ed1428d6a6
Instruction Fuzzy Hash: 97626F9AD3AF9A1EE303A53954131D2E35C0EF74C9551E31BFCE431E66EB92A6832314

Function 000000013FF753F0 Relevance: .9, Instructions: 891COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83a45c88a368d7276059de07aefbbc35b61cea5d64746511b72f3674958eea04
Instruction ID: c77bcddd1ecd00189283bc8f2f89fefb37edb8820b74f8fa021e11f2a54c6577
Opcode Fuzzy Hash: 83a45c88a368d7276059de07aefbbc35b61cea5d64746511b72f3674958eea04
Instruction Fuzzy Hash: 0D82F5B7A056C08AD715CF28D4547FCBB65F355B88F19C23ACE4987789DA38CA4AC710

Function 000000013FF6BB90 Relevance: .6, Instructions: 587COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffdf8f5a64276e3eb417e3b9ae5b43350349d41efb04db03fca9f8ba9e24336f
Instruction ID: 7b75efdf0a1fe42ce6aa3e05bbf16cfc8d23a438236e0867628e4400cbdb5c59
Opcode Fuzzy Hash: ffdf8f5a64276e3eb417e3b9ae5b43350349d41efb04db03fca9f8ba9e24336f
Instruction Fuzzy Hash: AC22C273B206508BD728CF25D89AA5E376AF399744F4B8228DF46CB785DB38D605CB40

Function 000000013FF74B98 Relevance: .6, Instructions: 578COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21143e83615dcc23e36b64f0d60848ac948cba63854c17a605a1a3ec217f9251
Instruction ID: 78d94c937d19583a91c564099ddf44183383a21ca4fd409826608649f175d15e
Opcode Fuzzy Hash: 21143e83615dcc23e36b64f0d60848ac948cba63854c17a605a1a3ec217f9251
Instruction Fuzzy Hash: B732BF73A045908BE718CF28D554BFC77A5F354B88F05823EDE8697B88D738996ACB40

Function 000000013FF57288 Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 063370d9e2e9571dc593e8358d008e0ec5385ad0435e9f2f5019d46da215c13b
Instruction ID: 589e1f8573fedb5e1e45907bbfc6df04e31b7e9483db47af7cbc0a57afb0db37
Opcode Fuzzy Hash: 063370d9e2e9571dc593e8358d008e0ec5385ad0435e9f2f5019d46da215c13b
Instruction Fuzzy Hash: 1EC189B7B281908FE350CF7AE400A9D3BB1F39878CB51A125EF59A7B09D639D645CB40

Function 000000013FF72D58 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 602477e063b5c1ca901f2159ae3c7fc010244aaa433e93e1960e83d539d05e76
Instruction ID: dd2f1d7c88eec6b89edf88504bbe6270ec99105e22b14caa58487377a92a5099
Opcode Fuzzy Hash: 602477e063b5c1ca901f2159ae3c7fc010244aaa433e93e1960e83d539d05e76
Instruction Fuzzy Hash: 7BA16673F0018086EB25DA38D444BEDB799E3A07C8F55463DDE4697786DA38CA8BCB10

Function 000000013FF6AF18 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3f156a61251d3696a660eff3e2c5499dd818c979554cbf7ea7c30eccab92618
Instruction ID: 49ac4fea488b8abf7d83622b7361837c2c1ab6046a593be103335b07eb83d4e9
Opcode Fuzzy Hash: e3f156a61251d3696a660eff3e2c5499dd818c979554cbf7ea7c30eccab92618
Instruction Fuzzy Hash: EFC1C377A291E04DE302CBB5A4249FD3FB5E31E34DF4A4245EF9266B4AD6284301DB60

Function 000000013FF5A310 Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: ba0d91b71a6ba36ace61fab0c0f7d4922daa1e3f8d028e3e8b3457ff5b2a4fa0
Instruction ID: 80e53dd981b3e2404f1ef41f83b24969c10655db9f771a9f0ff3cfb6251ae440
Opcode Fuzzy Hash: ba0d91b71a6ba36ace61fab0c0f7d4922daa1e3f8d028e3e8b3457ff5b2a4fa0
Instruction Fuzzy Hash: 42913D73B1069096EB11CF29D8517ED2B21FBA6B88F441125EF4E17B5AEE39C70AC300

Function 000000013FF6B534 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfd80b8924012b3a81ce264cde7180753b201b1e387c519ebd9873ce58afa85e
Instruction ID: 039ad40ee13289c1bf587f877513873dd904acd69f25b8a2232f4760d8970b12
Opcode Fuzzy Hash: cfd80b8924012b3a81ce264cde7180753b201b1e387c519ebd9873ce58afa85e
Instruction Fuzzy Hash: F9612033B101D049EB11CF7585007ED7FB9A309798F8A806ACF966374ADA39C606CB20

Function 000000013FF721D0 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8137a9b05b05aada6fbcd6bbdda66db02b1ef4637fe403d2df7c72722ebbdea5
Instruction ID: 08380f2dce91d7344b19eeb3a4e77d83a4c1396649638c23a2ea1e3a2c636690
Opcode Fuzzy Hash: 8137a9b05b05aada6fbcd6bbdda66db02b1ef4637fe403d2df7c72722ebbdea5
Instruction Fuzzy Hash: 6E512673B141A04BF7688F28D018BEDB766F394B88F4541289F4587689DB3DC64ACF00

Function 000000013FF72AB0 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 525267a7f117e2089c634eae81b531c40420bccc1aa688f1dd99d62513960580
Instruction ID: 5d171070675999eff4d1b4fbcc7396ad82d07174204f9a6bad209c369a212d21
Opcode Fuzzy Hash: 525267a7f117e2089c634eae81b531c40420bccc1aa688f1dd99d62513960580
Instruction Fuzzy Hash: 07311AB3A145804BE718DE2AD5517AEB7D5F344394F04813DDF42C7B41DA78D646CB00

Function 000000013FF6DC70 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a4fac86f8f1a6b9d8c17b4c2881c5c96027003405599c7815143c772f625e0d
Instruction ID: 5f5979c69ea4c99920eeba483fb777014bb344c65626c3eab3d12578f97f8488
Opcode Fuzzy Hash: 6a4fac86f8f1a6b9d8c17b4c2881c5c96027003405599c7815143c772f625e0d
Instruction Fuzzy Hash: 18F01C73F1840D42FB68003C9C193BD105E9B12334F648A7EEE17EA2C6D9E9CA83A149

Function 000000013FF83354 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e57e15d0ab639cfe726454a8769b7378f2b682ff734fe90589bfb13db1bf513a
Instruction ID: 2b91cc67403da8ffe96a046a0061852d668a65b48d9ce3d5b19577a5702318de
Opcode Fuzzy Hash: e57e15d0ab639cfe726454a8769b7378f2b682ff734fe90589bfb13db1bf513a
Instruction Fuzzy Hash: 38A00273904C50E0E6448B11E9607F12738F350300F94003DF84DA10B4DF389603C300

Function 000000013FF5D7D0 Relevance: 26.3, APIs: 1, Strings: 14, Instructions: 98COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF5D964

Strings

:$TXF_DATA:$LOGGED_UTILITY_STREAM, xrefs: 000000013FF5D875
::$EA_INFORMATION, xrefs: 000000013FF5D828
:$I30:$INDEX_ALLOCATION, xrefs: 000000013FF5D849
::$INDEX_ALLOCATION, xrefs: 000000013FF5D83E
::$BITMAP, xrefs: 000000013FF5D807
::$LOGGED_UTILITY_STREAM, xrefs: 000000013FF5D85F
::$FILE_NAME, xrefs: 000000013FF5D833
::$REPARSE_POINT, xrefs: 000000013FF5D88B
::$EA, xrefs: 000000013FF5D81D
::$ATTRIBUTE_LIST, xrefs: 000000013FF5D7FC
::$DATA, xrefs: 000000013FF5D812
:$EFS:$LOGGED_UTILITY_STREAM, xrefs: 000000013FF5D86A
::$INDEX_ROOT, xrefs: 000000013FF5D854
::$OBJECT_ID, xrefs: 000000013FF5D880

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: :$EFS:$LOGGED_UTILITY_STREAM$:$I30:$INDEX_ALLOCATION$:$TXF_DATA:$LOGGED_UTILITY_STREAM$::$ATTRIBUTE_LIST$::$BITMAP$::$DATA$::$EA$::$EA_INFORMATION$::$FILE_NAME$::$INDEX_ALLOCATION$::$INDEX_ROOT$::$LOGGED_UTILITY_STREAM$::$OBJECT_ID$::$REPARSE_POINT
API String ID: 3668304517-727060406
Opcode ID: 7a6d946e213098ab8cc9fb54a64ac08de2763ec1b5bc3a926e1f7339651cfd74
Instruction ID: 655fa292bdb67be12ae6cd6e0942d283233983c10d559210806300af29d3a344
Opcode Fuzzy Hash: 7a6d946e213098ab8cc9fb54a64ac08de2763ec1b5bc3a926e1f7339651cfd74
Instruction Fuzzy Hash: 7441A276A12B00D9EB019F65E5843DD33A9EB48798F80063ADE4C57B69EE34C65AC384

Function 000000013FF82A10 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 61libraryloaderCOMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 000000013FF82A26
GetModuleHandleW.KERNEL32 ref: 000000013FF82A33
GetModuleHandleW.KERNEL32 ref: 000000013FF82A48
GetProcAddress.KERNEL32 ref: 000000013FF82A60
GetProcAddress.KERNEL32 ref: 000000013FF82A73
CreateEventW.KERNEL32 ref: 000000013FF82A9F
DeleteCriticalSection.KERNEL32 ref: 000000013FF82AEB
CloseHandle.KERNEL32 ref: 000000013FF82AFD

Strings

kernel32.dll, xrefs: 000000013FF82A41
SleepConditionVariableCS, xrefs: 000000013FF82A56
WakeAllConditionVariable, xrefs: 000000013FF82A66
api-ms-win-core-synch-l1-2-0.dll, xrefs: 000000013FF82A2C

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin
String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 2565136772-3242537097
Opcode ID: 6e1e709f092c3aabc6fb1c9db3d7c09c3ef1a4a7bf2af41e7ac9402dec2f511f
Instruction ID: 5a9eb0604b345500c8320b7e84a0e297aff23a6530ff72c54371c6d42c35c8dd
Opcode Fuzzy Hash: 6e1e709f092c3aabc6fb1c9db3d7c09c3ef1a4a7bf2af41e7ac9402dec2f511f
Instruction Fuzzy Hash: CA211D76E11A1581FF65DB61EA557E927A8AF88B80F84403DCD0A427B1DF38DB87C300

Function 000000013FF66A0C Relevance: 16.2, APIs: 6, Strings: 3, Instructions: 444COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF670A6

Part of subcall function 000000013FF52004: std::_Xinvalid_argument.LIBCPMT ref: 000000013FF5200F

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF670B2
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF670B8
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF670C4
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF670D6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF670DC

Strings

DXGIDebug.dll, xrefs: 000000013FF66A18
\\?\, xrefs: 000000013FF66A57, 000000013FF66A66
UNC, xrefs: 000000013FF66BBF

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Xinvalid_argumentstd::_
String ID: DXGIDebug.dll$UNC$\\?\
API String ID: 4097890229-4048004291
Opcode ID: ee57ffdaa628a4523baa33cf3aee09a7e7a0d12a4d8e146c800fe8bc560304e6
Instruction ID: 23f7b6d27ec62e20dad744d1774d0ab5ad0ee668fa1fbc051a2bb04700f8547b
Opcode Fuzzy Hash: ee57ffdaa628a4523baa33cf3aee09a7e7a0d12a4d8e146c800fe8bc560304e6
Instruction Fuzzy Hash: 17129B33B05A4094EF10DB65E4443DD6379E785BA8F50422AEE5D4BBE9DF38C68AC344

Function 000000013FF7A440 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 257COMMON

Download Yara Rule

APIs

Part of subcall function 000000013FF5129C: Concurrency::cancel_current_task.LIBCPMT ref: 000000013FF51396

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF7A72F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF7A735
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF7A73B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF7A741
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF7A747
EndDialog.USER32 ref: 000000013FF7A7BA

Strings

Software\WinRAR SFX, xrefs: 000000013FF7A52B, 000000013FF7A53A
GETPASSWORD1, xrefs: 000000013FF7A773

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_taskDialog
String ID: GETPASSWORD1$Software\WinRAR SFX
API String ID: 431506467-1315819833
Opcode ID: e649241556eb4477795fcdb655db1f67983da935ee3a1250067e8312a05c5626
Instruction ID: b3ef5b91e600789c17e6b6812d4d096d5a6e6c34680e6869428fc409cee86bad
Opcode Fuzzy Hash: e649241556eb4477795fcdb655db1f67983da935ee3a1250067e8312a05c5626
Instruction Fuzzy Hash: 0AB1CB73F11B8085FB00DFA4D4843ED637AA785798F404229DE1C66AE9EE38C69BC304

Function 000000013FF76E80 Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 204memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000013FF77E9B), ref: 000000013FF77080
CreateStreamOnHGlobal.OLE32 ref: 000000013FF770B1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF7717B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF77181
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF77187

Strings

<html>, xrefs: 000000013FF76F13
<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head>, xrefs: 000000013FF76ED5, 000000013FF76EE4
<style>body{font-family:"Arial";font-size:12;}</style>, xrefs: 000000013FF76F2C, 000000013FF76F3B
</html>, xrefs: 000000013FF76F72, 000000013FF76F81

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Global$AllocCreateStream
String ID: </html>$<html>$<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head>$<style>body{font-family:"Arial";font-size:12;}</style>
API String ID: 2868844859-1533471033
Opcode ID: 51127e303019f1fa10426485046a28b2719f38416803858a6fe94b28818fe22a
Instruction ID: d39cfb3a262416848dd16da55fc0dd513e03632029399dd0cb01f015099a1414
Opcode Fuzzy Hash: 51127e303019f1fa10426485046a28b2719f38416803858a6fe94b28818fe22a
Instruction Fuzzy Hash: C7818873F10A4485FB10DBA5D8403DDA379AB49BD8F40463ADE1967AAAEE74C60BC340

Function 000000013FF8E650 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 117COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000000013FF8E7CD

Strings

nan(ind), xrefs: 000000013FF8E706
nan, xrefs: 000000013FF8E6B8
nan(snan), xrefs: 000000013FF8E6F0
inf, xrefs: 000000013FF8E6D6
INF, xrefs: 000000013FF8E6C3
NAN(IND), xrefs: 000000013FF8E6FB
NAN, xrefs: 000000013FF8E6B1
NAN(SNAN), xrefs: 000000013FF8E6E5

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: INF$NAN$NAN(IND)$NAN(SNAN)$inf$nan$nan(ind)$nan(snan)
API String ID: 3215553584-2617248754
Opcode ID: ca8329083cbd7a022b2adefca7a3bb58d0ae1dff90efa4c28dbe4d3f14657870
Instruction ID: 2977affbbcdf79b921180af2871a2843dcb246cf5d93472b7931b7a6152f590f
Opcode Fuzzy Hash: ca8329083cbd7a022b2adefca7a3bb58d0ae1dff90efa4c28dbe4d3f14657870
Instruction Fuzzy Hash: E6419C73B02B9489FB14CF65E8417CE3BA8E719798F41453AEE9C07B94DA38C266C344

Function 000000013FF7F390 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 85windowCOMMON

Download Yara Rule

APIs

GetWindow.USER32 ref: 000000013FF7F3CF
GetClassNameW.USER32 ref: 000000013FF7F3FC
GetWindowLongPtrW.USER32 ref: 000000013FF7F41D
SendMessageW.USER32 ref: 000000013FF7F437
GetObjectW.GDI32 ref: 000000013FF7F452
SendMessageW.USER32 ref: 000000013FF7F487
DeleteObject.GDI32 ref: 000000013FF7F490
GetWindow.USER32 ref: 000000013FF7F49E

Strings

STATIC, xrefs: 000000013FF7F402

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: Window$MessageObjectSend$ClassDeleteLongName
String ID: STATIC
API String ID: 2845197485-1882779555
Opcode ID: 028936735c5caa7e1c5955390d3996a5d13f8d6e72d7f98742e6e6c768b0ab82
Instruction ID: 901f4aad77273049d8678bf9148895343b45afa08a3115917fd4ac0d05e2314b
Opcode Fuzzy Hash: 028936735c5caa7e1c5955390d3996a5d13f8d6e72d7f98742e6e6c768b0ab82
Instruction Fuzzy Hash: 4431E437B1464082FA64DF12E9547EAA3A9F788BD4F540038DD4A47B96DF3CCA0B8780

Function 000000013FF7AE90 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94COMMON

Download Yara Rule

Strings

LICENSEDLG, xrefs: 000000013FF7AEAE

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: ItemTextWindow
String ID: LICENSEDLG
API String ID: 2478532303-2177901306
Opcode ID: 35fefc179f922e98870b8a3b257cf5e504c5ed53f195972dc606f5139ed8380b
Instruction ID: c64405f7b759526764301fb8bab5092cca9eac4119e8529beac6771ea4c0105d
Opcode Fuzzy Hash: 35fefc179f922e98870b8a3b257cf5e504c5ed53f195972dc606f5139ed8380b
Instruction Fuzzy Hash: 97419C33A14A5482FB589B12E8147E967A9A788FC4F14423CDE0A47BA4DF3DCB4B8300

Function 000000013FF6B9B4 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 84libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 000000013FF6BA12
GetProcAddress.KERNEL32 ref: 000000013FF6BA2D
GetCurrentProcessId.KERNEL32 ref: 000000013FF6BACA

Part of subcall function 000000013FF6DFD0: GetSystemDirectoryW.KERNEL32 ref: 000000013FF6DDDF

Strings

Crypt32.dll, xrefs: 000000013FF6B9F0
CryptUnprotectMemory failed, xrefs: 000000013FF6BAC1
CryptUnprotectMemory, xrefs: 000000013FF6BA1F
CryptProtectMemory, xrefs: 000000013FF6BA08
CryptProtectMemory failed, xrefs: 000000013FF6BA80

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: AddressProc$CurrentDirectoryProcessSystem
String ID: Crypt32.dll$CryptProtectMemory$CryptProtectMemory failed$CryptUnprotectMemory$CryptUnprotectMemory failed
API String ID: 2915667086-2207617598
Opcode ID: 6794cfd2df2083ddb130d433e4ca33b69faefb70ddab7dfcfa84983386d80e8a
Instruction ID: 77b31dbca7da3745eb9d483e67458bb4b5489a1835ebc5bd214a6e05e83677d4
Opcode Fuzzy Hash: 6794cfd2df2083ddb130d433e4ca33b69faefb70ddab7dfcfa84983386d80e8a
Instruction Fuzzy Hash: CE315B37A05B0480FA249B26A9543EA27A9FB45BA0F45517DCE4A437B8DF38CB87C700

Function 000000013FF787D8 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 415COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF78DB6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF78DC2
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF78DCE
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF78DDA
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF78DE0

Strings

, xrefs: 000000013FF78A55
, xrefs: 000000013FF788BE

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: $
API String ID: 3668304517-227171996
Opcode ID: fba1bd8aa635f3f6d5198a4fd819999d9510bb129eafd649dd3f86975facee9e
Instruction ID: 59aa1c713f9aa4be22f1fb352ede33309af18e4113f027a6262468cea5592214
Opcode Fuzzy Hash: fba1bd8aa635f3f6d5198a4fd819999d9510bb129eafd649dd3f86975facee9e
Instruction Fuzzy Hash: 92F1B073F11B4480EF009B69D6483EDA36AA744BE8F605629CE6D57BD5EF74C28AC340

Function 000000013FF857EC Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 317COMMONLIBRARYCODE

Download Yara Rule

APIs

Is_bad_exception_allowed.LIBVCRUNTIME ref: 000000013FF8598A
std::bad_alloc::bad_alloc.LIBCMT ref: 000000013FF85CAD
abort.LIBCMT ref: 000000013FF85CE1

Strings

csm, xrefs: 000000013FF858D1
csm, xrefs: 000000013FF85933
csm, xrefs: 000000013FF859B1

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: Is_bad_exception_allowedabortstd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 2940173790-393685449
Opcode ID: 65edb01f61f21fff02eaccc9a46b43a233fa456fccf40e480b66f774ee54b1a7
Instruction ID: 50616b0bbb31d73e1117d46852f7eeecc0f795a84313ea643dfffdddf2ac1454
Opcode Fuzzy Hash: 65edb01f61f21fff02eaccc9a46b43a233fa456fccf40e480b66f774ee54b1a7
Instruction Fuzzy Hash: 80E1A073A00BA08BEB609F75D4803ED7FA8F745768F18412ADE8957796DB34D686CB00

Function 000000013FF64F38 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 158COMMON

Download Yara Rule

APIs

Part of subcall function 000000013FF64E24: SysAllocString.OLEAUT32 ref: 000000013FF64E5F

VariantClear.OLEAUT32 ref: 000000013FF65125

Strings

ROOT\CIMV2, xrefs: 000000013FF64F7B
Windows 10, xrefs: 000000013FF6510A
Name, xrefs: 000000013FF650F9
WQL, xrefs: 000000013FF6502A
SELECT * FROM Win32_OperatingSystem, xrefs: 000000013FF65017

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: AllocClearStringVariant
String ID: Name$ROOT\CIMV2$SELECT * FROM Win32_OperatingSystem$WQL$Windows 10
API String ID: 1959693985-3505469590
Opcode ID: a8b35b7bcd37d82ee4aaa20c3b876beaab518b1de9e1ce59ea14af8b32f1fe8d
Instruction ID: 46e8577e6fe901a2d468132bbe460295e0cbeb62c971455f9d3d5b69ce8cee51
Opcode Fuzzy Hash: a8b35b7bcd37d82ee4aaa20c3b876beaab518b1de9e1ce59ea14af8b32f1fe8d
Instruction Fuzzy Hash: 97710C77A10A0485EB20CF25D9907DD77B8FB88BA8F44512AEE4E53B68CF38C645C740

Function 000000013FF81604 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 43libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,000000013FF81573,?,?,?,000000013FF8192A), ref: 000000013FF8162B
GetProcAddress.KERNEL32(?,?,?,000000013FF81573,?,?,?,000000013FF8192A), ref: 000000013FF81648
GetProcAddress.KERNEL32(?,?,?,000000013FF81573,?,?,?,000000013FF8192A), ref: 000000013FF81664

Strings

KERNEL32.DLL, xrefs: 000000013FF81624
AcquireSRWLockExclusive, xrefs: 000000013FF8163E
ReleaseSRWLockExclusive, xrefs: 000000013FF81653

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
API String ID: 667068680-1718035505
Opcode ID: 4fe35f58cd4175722fa2f4edd42b7d77b08fa8d78ae8e9bf73ccac7c2071e7f8
Instruction ID: aa1e886de6e6617b1b8f749a937005f23c83e3ace07d406da4c343de87783508
Opcode Fuzzy Hash: 4fe35f58cd4175722fa2f4edd42b7d77b08fa8d78ae8e9bf73ccac7c2071e7f8
Instruction Fuzzy Hash: AE112D33E16B1481FE65AB01AA403E5279D6748BA4F4C563DCD5A463A0EE3CCB97C610

Function 000000013FF6ED24 Relevance: 9.1, APIs: 6, Instructions: 120timeCOMMON

Download Yara Rule

APIs

Part of subcall function 000000013FF651A4: GetVersionExW.KERNEL32 ref: 000000013FF651D5

FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,000000013FF55AB4), ref: 000000013FF6ED8C
FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,000000013FF55AB4), ref: 000000013FF6ED98
SystemTimeToTzSpecificLocalTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,000000013FF55AB4), ref: 000000013FF6EDA8
SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,000000013FF55AB4), ref: 000000013FF6EDB6
SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,000000013FF55AB4), ref: 000000013FF6EDC4
FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,000000013FF55AB4), ref: 000000013FF6EE05

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion
String ID:
API String ID: 2092733347-0
Opcode ID: 197518eb8103cda2bd6b54f1f5e99fa721289ee203340eaf45d2c62117a67569
Instruction ID: 6f1e72c7325fcf0af2052edb373318f7954f363a3b4f4bb801c8407b6d5fb183
Opcode Fuzzy Hash: 197518eb8103cda2bd6b54f1f5e99fa721289ee203340eaf45d2c62117a67569
Instruction Fuzzy Hash: 7C5148B3B106508AEB14CFB9D4403EC37B5F748B98F64402AEE09A7B58DB78D656CB00

Function 000000013FF6F010 Relevance: 9.1, APIs: 6, Instructions: 80timeCOMMON

Download Yara Rule

APIs

SystemTimeToFileTime.KERNEL32 ref: 000000013FF6F074

Part of subcall function 000000013FF651A4: GetVersionExW.KERNEL32 ref: 000000013FF651D5

LocalFileTimeToFileTime.KERNEL32 ref: 000000013FF6F096
FileTimeToSystemTime.KERNEL32 ref: 000000013FF6F0A2
TzSpecificLocalTimeToSystemTime.KERNEL32 ref: 000000013FF6F0B2
SystemTimeToFileTime.KERNEL32 ref: 000000013FF6F0C0
SystemTimeToFileTime.KERNEL32 ref: 000000013FF6F0CE

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion
String ID:
API String ID: 2092733347-0
Opcode ID: 93bf5fe4be91675a5f4cba4a2df0f2c5ed0bd126a165fd4d88c3e7d5e64543a6
Instruction ID: fce4193601b592fce2bc511554da8c3062de49a9ae13673c55eec0a306e0daa0
Opcode Fuzzy Hash: 93bf5fe4be91675a5f4cba4a2df0f2c5ed0bd126a165fd4d88c3e7d5e64543a6
Instruction Fuzzy Hash: A0310973B10A5099FB14CFB5D8903ED3774FB08758F54502AEE09A7A58EB78C596C710

Function 000000013FF67918 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 233COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF67C8C

Strings

rar, xrefs: 000000013FF67A9B, 000000013FF67AAA, 000000013FF67B67, 000000013FF67B7C
exe, xrefs: 000000013FF679AF, 000000013FF679BE
.rar, xrefs: 000000013FF67969, 000000013FF67978
sfx, xrefs: 000000013FF679F3, 000000013FF67A02

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: .rar$exe$rar$sfx
API String ID: 3668304517-630704357
Opcode ID: cd8554260ddee3f68471b11ee4aef8921e4c722a44e964939d6ce9a91093e1e4
Instruction ID: 1b0b01e1270e7b61be420c3c98b2e79c4b822769fc00fb18f897250585f18b07
Opcode Fuzzy Hash: cd8554260ddee3f68471b11ee4aef8921e4c722a44e964939d6ce9a91093e1e4
Instruction Fuzzy Hash: 83A19A33A10A4480EB049F35D9953ED2369BB85BA8F545239DE2A177EADF38C697C340

Function 000000013FF85CE8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 191COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 000000013FF85D58

Part of subcall function 000000013FF85210: abort.LIBCMT ref: 000000013FF85223

_CallSETranslator.LIBVCRUNTIME ref: 000000013FF85DA3
abort.LIBCMT ref: 000000013FF85FD1

Strings

MOC, xrefs: 000000013FF85D6C
RCC, xrefs: 000000013FF85D74

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: abort$CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 2889003569-2084237596
Opcode ID: 0f4c2d06ef2d655583c55900dbb020dcf620b12558a4295111afe460be181df6
Instruction ID: d101fbf43a2e1fff86b401017d4aebd0ab06ed2a883b648c8a75d5ffd9afba00
Opcode Fuzzy Hash: 0f4c2d06ef2d655583c55900dbb020dcf620b12558a4295111afe460be181df6
Instruction Fuzzy Hash: 21917F73A04BA48AE711CF65E8803ED7BB4F744798F14412AEF8957B59DB38C296CB00

Function 000000013FF84F80 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMONLIBRARYCODE

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000000013FF84FAB
_IsNonwritableInCurrentImage.LIBCMT ref: 000000013FF85040
RtlUnwindEx.KERNEL32 ref: 000000013FF8508F

Strings

f, xrefs: 000000013FF84FBE
csm, xrefs: 000000013FF85026

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: a7c39da158025e753bf36dfb1e051fd0b17def11f5f8def40396cbfe1c046983
Instruction ID: ec16b6c763adf16a0f2034df3697a8fcc4b777837603d4b438d38ed86f0b1cf3
Opcode Fuzzy Hash: a7c39da158025e753bf36dfb1e051fd0b17def11f5f8def40396cbfe1c046983
Instruction Fuzzy Hash: F651A133B11A2187EB14CF15E844BA93F99F344BA8F598138EE5647788DB75DA43CB40

Function 000000013FF5CEE0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 139COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 000000013FF5D03D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF5D0D1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF5D0D7

Part of subcall function 000000013FF5DE04: GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,000000013FF5CF4B), ref: 000000013FF5DE27
Part of subcall function 000000013FF5DE04: GetLastError.KERNEL32 ref: 000000013FF5DE88
Part of subcall function 000000013FF5DE04: CloseHandle.KERNEL32 ref: 000000013FF5DE9B

Strings

SeSecurityPrivilege, xrefs: 000000013FF5CF3F
SeRestorePrivilege, xrefs: 000000013FF5CF5E

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: ErrorLast_invalid_parameter_noinfo_noreturn$CloseCurrentHandleProcess
String ID: SeRestorePrivilege$SeSecurityPrivilege
API String ID: 2102711378-639343689
Opcode ID: 7d18d790379317f0803995c178e88ab79334658891d984f74db8c16d37a5e77c
Instruction ID: d65cffa28a4e310108d7708194439931eb55f2e7a28322a00126d86b5340231a
Opcode Fuzzy Hash: 7d18d790379317f0803995c178e88ab79334658891d984f74db8c16d37a5e77c
Instruction Fuzzy Hash: FF51BC73F1565086FB10DBB5D8593ED27B9AB857A4F400139DE1D17BAADE38CA8BC200

Function 000000013FF77B28 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 122COMMON

Download Yara Rule

APIs

ShowWindow.USER32 ref: 000000013FF77B6F
GetWindowRect.USER32 ref: 000000013FF77BC0
ShowWindow.USER32 ref: 000000013FF77C96
ShowWindow.USER32 ref: 000000013FF77CC3

Strings

RarHtmlClassName, xrefs: 000000013FF77C4B

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: Window$Show$Rect
String ID: RarHtmlClassName
API String ID: 2396740005-1658105358
Opcode ID: 7f8a0b662af83a4f47b362c37f36e9414f73daccdb18f375bc1ce0a7ee57f15d
Instruction ID: 7339c2a6aaa6d191450c8eaa92d4edb33be6093b5e068899af062dda3741e306
Opcode Fuzzy Hash: 7f8a0b662af83a4f47b362c37f36e9414f73daccdb18f375bc1ce0a7ee57f15d
Instruction Fuzzy Hash: FD51D633B15B808AEB24DF25E45439AB7A8F789BC4F044539DE8A43B65DF3CD54A8B00

Function 000000013FF7FD0C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 76COMMON

Download Yara Rule

APIs

SetEnvironmentVariableW.KERNEL32 ref: 000000013FF7FD43
SetEnvironmentVariableW.KERNEL32 ref: 000000013FF7FDBC
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF7FE1B

Strings

sfxcmd, xrefs: 000000013FF7FD3C
sfxpar, xrefs: 000000013FF7FDB5

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: EnvironmentVariable$_invalid_parameter_noinfo_noreturn
String ID: sfxcmd$sfxpar
API String ID: 3540648995-3493335439
Opcode ID: a2f2ff4eec9cd023bea60e191487a3fc7b1107ac2ef23f4bce237efce2fc713f
Instruction ID: ab830fdd4adb1bbbc82e50e152c867ab1876ad120106d089f4a44fbb404d6126
Opcode Fuzzy Hash: a2f2ff4eec9cd023bea60e191487a3fc7b1107ac2ef23f4bce237efce2fc713f
Instruction Fuzzy Hash: 3C314973A10A1484FF048B69E8843DD63B9F788BD8F541129DE6D57BA9EE74C286C384

Function 000000013FF7FED4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 52COMMON

Download Yara Rule

Strings

REPLACEFILEDLG, xrefs: 000000013FF7FF34, 000000013FF7FF99
RENAMEDLG, xrefs: 000000013FF7FF60

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID:
String ID: RENAMEDLG$REPLACEFILEDLG
API String ID: 0-56093855
Opcode ID: 98f895654b64cd1d2f90e97d30244ed9b67d31cc2014a88c355cd353264df31a
Instruction ID: 0e5b35eec6515c73d8078293bf7b780a8739ba7a9f392d1ac9af48df76bef54a
Opcode Fuzzy Hash: 98f895654b64cd1d2f90e97d30244ed9b67d31cc2014a88c355cd353264df31a
Instruction Fuzzy Hash: 8121DC37A05B8981FA108B15F8443D5A7A8A349BC8F54063EDD6997365DE38CB9BC340

Function 000000013FF8BFB0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 000000013FF8BFD0
GetProcAddress.KERNEL32 ref: 000000013FF8BFE6
FreeLibrary.KERNEL32 ref: 000000013FF8C00B

Strings

mscoree.dll, xrefs: 000000013FF8BFC7
CorExitProcess, xrefs: 000000013FF8BFDF

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 42a4ca90c7c49dddb16080121233970ff8583544d2054868cb5f0899d871e2db
Instruction ID: eec64f21c7d116bff430c294d7cceb3f0ca1f16fe3537585136b760341ceba65
Opcode Fuzzy Hash: 42a4ca90c7c49dddb16080121233970ff8583544d2054868cb5f0899d871e2db
Instruction Fuzzy Hash: 37F06233A15A4181EF458B11F4803EA67A4EB88BD0F84103EDD4B86764DF3CC686C700

Function 000000013FF945C0 Relevance: 7.7, APIs: 5, Instructions: 203COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000000013FF94605

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: cf462e6f26ae3af6f96c078c51b53c82231ed120809331cf2f591469c69a5a17
Instruction ID: fc4fa21602b3185e9844ad6ac31c2175736254aa003abd7437a49a6763de5031
Opcode Fuzzy Hash: cf462e6f26ae3af6f96c078c51b53c82231ed120809331cf2f591469c69a5a17
Instruction Fuzzy Hash: 5681EF73F20A5489FB209F659880BEE67A9B7A5B88F40812DCE0A53BD5CB34C647C715

Function 000000013FF63AF8 Relevance: 7.7, APIs: 5, Instructions: 164filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 000000013FF63BBB
CreateFileW.KERNEL32 ref: 000000013FF63C24
SetFileTime.KERNEL32 ref: 000000013FF63CEC
CloseHandle.KERNEL32 ref: 000000013FF63CF6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF63D2C

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: File$Create$CloseHandleTime_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2398171386-0
Opcode ID: 2e61f30820f3e69737d9660ab18874bee1eef0c333cff69c88e9078c01ead55e
Instruction ID: 624f4b0c635277d7c343e2a102ac233697df6a0335002ba72024238d27d0c319
Opcode Fuzzy Hash: 2e61f30820f3e69737d9660ab18874bee1eef0c333cff69c88e9078c01ead55e
Instruction Fuzzy Hash: 6451B073F10A4099FB50CFB5E8403ED63B9A789BB8F404639AE59477E9EE348656C304

Function 000000013FF93F34 Relevance: 7.6, APIs: 5, Instructions: 142fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32 ref: 000000013FF93F91
WideCharToMultiByte.KERNEL32 ref: 000000013FF9406D
WriteFile.KERNEL32 ref: 000000013FF94093
WriteFile.KERNEL32 ref: 000000013FF940D2
GetLastError.KERNEL32 ref: 000000013FF9410A

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiWide
String ID:
API String ID: 3659116390-0
Opcode ID: 8f90b3f8899b92826fb288bc35eb601c263b89b4fb676f823db5d062d6f6b41f
Instruction ID: 37f49973f55401a8a5ad6809a2710aa8d16e525e61d824f192b1bc225fa01dfb
Opcode Fuzzy Hash: 8f90b3f8899b92826fb288bc35eb601c263b89b4fb676f823db5d062d6f6b41f
Instruction Fuzzy Hash: 86519E33A10A5089F711CF65E8447DE3BB9F758B98F088129DE4A57BA9DB34C286C700

Function 000000013FF81E00 Relevance: 7.6, APIs: 5, Instructions: 137memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 000000013FF81E87
MultiByteToWideChar.KERNEL32 ref: 000000013FF81F09
SysAllocString.OLEAUT32 ref: 000000013FF81F16

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: ByteCharMultiWide$AllocString
String ID:
API String ID: 262959230-0
Opcode ID: 7e9601d2247a13adf5892490d0984888a090eff7ba9d3fa4ff308a8b8e371313
Instruction ID: bb1651b017a05053fe5cce11f7a7e08daa6c5ad1bc5a228af9dfb284d669674b
Opcode Fuzzy Hash: 7e9601d2247a13adf5892490d0984888a090eff7ba9d3fa4ff308a8b8e371313
Instruction Fuzzy Hash: A841A333A016548AEB54AF75D9503E92A99FB48BA4F54473CEE6D877D5DB38C283C300

Function 000000013FF956D8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 000000013FF956FF
_set_statfp.LIBCMT ref: 000000013FF9571A
_set_statfp.LIBCMT ref: 000000013FF95736
_set_statfp.LIBCMT ref: 000000013FF95772

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: f3bd3298a46f29c998dca386ec4adc9bd6d7efdfabb851da102e47160911a3a1
Instruction ID: 4f0f92972c71476d53eb8ccc314064246b821b9b1de181d0d716af98da70fcb2
Opcode Fuzzy Hash: f3bd3298a46f29c998dca386ec4adc9bd6d7efdfabb851da102e47160911a3a1
Instruction Fuzzy Hash: 65110C77E10B0D81FA541134E5423FB11CA6B553B0F4C423CEE7A0A6DADA2487474207

Function 000000013FF7FE24 Relevance: 7.5, APIs: 5, Instructions: 29windowsynchronizationCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32 ref: 000000013FF7FE41
GetMessageW.USER32 ref: 000000013FF7FE58
TranslateMessage.USER32 ref: 000000013FF7FE63
DispatchMessageW.USER32 ref: 000000013FF7FE6E
WaitForSingleObject.KERNEL32 ref: 000000013FF7FE7C

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: Message$DispatchObjectPeekSingleTranslateWait
String ID:
API String ID: 3621893840-0
Opcode ID: eb57a341668d454e4e6cd52f39bb1811463ddcab187ea95c48cb89abc8d18535
Instruction ID: bbc128f66cf611852ef552cefdb647517169082706d43cecaf576012c81f0280
Opcode Fuzzy Hash: eb57a341668d454e4e6cd52f39bb1811463ddcab187ea95c48cb89abc8d18535
Instruction Fuzzy Hash: 37F09033F3044982F7148B20E894BAA6229FBE4B49F941034EE4B81994DF3CCB4ACB00

Function 000000013FF8625C Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMONLIBRARYCODE

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000000013FF86286
abort.LIBCMT ref: 000000013FF864EA

Strings

csm, xrefs: 000000013FF862AB
csm, xrefs: 000000013FF8641A

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: __except_validate_context_recordabort
String ID: csm$csm
API String ID: 746414643-3733052814
Opcode ID: 91fc108a1c492767e4bb41002f60c2920875b1ec76e01922ab372504797a4c8e
Instruction ID: 78764318d1b142b5c86a3ca029e1317b06ae131dc83e74894c38cdcf288ac5fb
Opcode Fuzzy Hash: 91fc108a1c492767e4bb41002f60c2920875b1ec76e01922ab372504797a4c8e
Instruction Fuzzy Hash: 6D7194736046A48ADB708F25D4947EDBFA4F305F99F14812AEF4857B89CB38CA96C740

Function 000000013FF880F4 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000000013FF8811B
_invalid_parameter_noinfo.LIBCMT ref: 000000013FF882ED

Strings

*, xrefs: 000000013FF88221
, xrefs: 000000013FF88276

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: $*
API String ID: 3215553584-3982473090
Opcode ID: 42643a1ee39b50d27a50b926b179a62c0cdc4d381fe14b17104e750277292b9f
Instruction ID: 59e5596843a91307673c4c028d36d3fecd32c6780dc2616c31c80c283f8785d7
Opcode Fuzzy Hash: 42643a1ee39b50d27a50b926b179a62c0cdc4d381fe14b17104e750277292b9f
Instruction Fuzzy Hash: DF515173914A608AE7698F3886493EC3FA9F746B19F14123ECE46462D9CBB4C683C705

Function 000000013FF91758 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 126COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 000000013FF917CB
MultiByteToWideChar.KERNEL32 ref: 000000013FF91894
GetStringTypeW.KERNEL32 ref: 000000013FF918AE

Strings

$%s, xrefs: 000000013FF9175A

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: ByteCharMultiWide$StringType
String ID: $%s
API String ID: 3586891840-3791308623
Opcode ID: 8174e861c2faa6f2f7f5292a0ee7474812abc1109b8acb2517e9a7bc716d8d39
Instruction ID: 0dd6472f77dc26b5f97ffc7f1e3bc33fd1db2dc61f4b415f3c16de18b1b2bf2e
Opcode Fuzzy Hash: 8174e861c2faa6f2f7f5292a0ee7474812abc1109b8acb2517e9a7bc716d8d39
Instruction Fuzzy Hash: 1841A233B10B848AEB619F26D8003DA23A9FB44BE8F480639DE1D477C5DB38C646C304

Function 000000013FF866A0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

Part of subcall function 000000013FF85210: abort.LIBCMT ref: 000000013FF85223

__except_validate_context_record.LIBVCRUNTIME ref: 000000013FF8674A
_CreateFrameInfo.LIBVCRUNTIME ref: 000000013FF86776

Strings

csm, xrefs: 000000013FF86876

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: CreateFrameInfo__except_validate_context_recordabort
String ID: csm
API String ID: 2466640111-1018135373
Opcode ID: ef48871438151390fa300b301edbe87f2aaf35895cd4fd9de5e2d21b12dcaab2
Instruction ID: b7b95cfc86376ce95e79ff621d6100ec80a5937a4d459e18e17a00d8f8c29d3e
Opcode Fuzzy Hash: ef48871438151390fa300b301edbe87f2aaf35895cd4fd9de5e2d21b12dcaab2
Instruction Fuzzy Hash: 9C517E7361576487EA20EF16E4413AE7BA8F789BA0F140128EF8D47B55CF38D562CB00

Function 000000013FF94360 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32 ref: 000000013FF94446
WriteFile.KERNEL32 ref: 000000013FF94479
GetLastError.KERNEL32 ref: 000000013FF9449B

Strings

U, xrefs: 000000013FF94424

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: ByteCharErrorFileLastMultiWideWrite
String ID: U
API String ID: 2456169464-4171548499
Opcode ID: a3c4996b5397ae7c68c43f4944c85cd830f0b958292ccb38960a62bfe152ddee
Instruction ID: 8e2e27f15e8eb92475d4cc3c0fe732413e8bac268b084a4878a9ada45adda0c8
Opcode Fuzzy Hash: a3c4996b5397ae7c68c43f4944c85cd830f0b958292ccb38960a62bfe152ddee
Instruction Fuzzy Hash: 9F41C633715A8082EB20CF65E8447EA77A4F398794F848139EE4D87798DB7CC546CB40

Function 000000013FF790B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 000000013FF790D9
GetObjectW.GDI32 ref: 000000013FF79107
ReleaseDC.USER32 ref: 000000013FF791BB

Strings

, xrefs: 000000013FF79153

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: ObjectRelease
String ID:
API String ID: 1429681911-3916222277
Opcode ID: 0b5772d91688d342ea342be5c9c3c9ea07a5ad9e93d570546deb1a9808731c40
Instruction ID: a2afd842f1629be2ca1be8ec16681650f71e07f43278610d285522c466648352
Opcode Fuzzy Hash: 0b5772d91688d342ea342be5c9c3c9ea07a5ad9e93d570546deb1a9808731c40
Instruction Fuzzy Hash: 39314936A0874486EB08DF12B81875AB7A4F789FD9F504439EE8B43B54CE3CC94ACB00

Function 000000013FF6E870 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(?,?,?,000000013FF7317F,?,?,00001000,000000013FF5E51D), ref: 000000013FF6E8BB
CreateSemaphoreW.KERNEL32 ref: 000000013FF6E8CB
CreateEventW.KERNEL32(?,?,?,000000013FF7317F,?,?,00001000,000000013FF5E51D), ref: 000000013FF6E8E4

Strings

Thread pool initialization failed., xrefs: 000000013FF6E900

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: Create$CriticalEventInitializeSectionSemaphore
String ID: Thread pool initialization failed.
API String ID: 3340455307-2182114853
Opcode ID: 6610cce2f1ff4f40d78c24fcbab0d777ace7136147ab701da82aad1b7a389e44
Instruction ID: 73d98cca62ea0b47c35f860f889272d870d75f4ced17348472131efd11a7f599
Opcode Fuzzy Hash: 6610cce2f1ff4f40d78c24fcbab0d777ace7136147ab701da82aad1b7a389e44
Instruction Fuzzy Hash: 6521BE33E1164086F7508F34E4587DE32A6E798B1CF188039CE094A295DF7E8A97CB88

Function 000000013FF785E0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 000000013FF785EC
GetDeviceCaps.GDI32 ref: 000000013FF785FD
ReleaseDC.USER32 ref: 000000013FF7860A

Strings

, xrefs: 000000013FF78610

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: CapsDeviceRelease
String ID:
API String ID: 127614599-3916222277
Opcode ID: a42f7bf34e2550c06df92b4c4441a28b155cc5d7cfc3f2a0da00e80f490195b4
Instruction ID: f03bade348837fdde68a9d7b53e123e8fe9832d6714c332de1dedacd4c5353b9
Opcode Fuzzy Hash: a42f7bf34e2550c06df92b4c4441a28b155cc5d7cfc3f2a0da00e80f490195b4
Instruction Fuzzy Hash: 39E0C232F0464482FB0C57B6F58A32A2261A34CBD0F158039DE1B83794CE3CCDC64300

Function 000000013FF5D1A8 Relevance: 6.2, APIs: 4, Instructions: 238timeCOMMON

Download Yara Rule

APIs

SetFileTime.KERNEL32 ref: 000000013FF5D46C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF5D554
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF5D55A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF5D560

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$FileTime
String ID:
API String ID: 1137671866-0
Opcode ID: fd4bf53bfdfb75847e8e456477d5ec84f1ccce8e3f545aec7fedd5d5e9a8f738
Instruction ID: cf82961823d7d1c2d0380d10640f04cef360cee3046db540e2023a449d0398e5
Opcode Fuzzy Hash: fd4bf53bfdfb75847e8e456477d5ec84f1ccce8e3f545aec7fedd5d5e9a8f738
Instruction Fuzzy Hash: 84A1B073A15A80C1EA10DB65E8883DE6379FB85794F805229EE9D07BE9DF38C646C700

Function 000000013FF70548 Relevance: 6.1, APIs: 4, Instructions: 122COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 000000013FF705FC
SetLastError.KERNEL32 ref: 000000013FF70697

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 7936dbe671a94e08b05b2b3b32e462f49504e3c7108ba41fc675490ea87a0fab
Instruction ID: 87dba223e51720e766b7ab31cc5c3bc225be5e5edd59a44958e32b76416f6722
Opcode Fuzzy Hash: 7936dbe671a94e08b05b2b3b32e462f49504e3c7108ba41fc675490ea87a0fab
Instruction Fuzzy Hash: 68517A73B10A4599FB00AF64D8453DD2369EB89BD8F40422A9E1C97BAAEF24C746C340

Function 000000013FF79D90 Relevance: 6.1, APIs: 4, Instructions: 106COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 000000013FF79DBC
GetLastError.KERNEL32 ref: 000000013FF79E08
CreateDirectoryW.KERNEL32 ref: 000000013FF79F10
LocalFree.KERNEL32 ref: 000000013FF79F20

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: CreateCurrentDirectoryErrorFreeLastLocalProcess
String ID:
API String ID: 1077098981-0
Opcode ID: decc2da6846149065e747433b686ffe20880dedc2611ac47de6390cb5f5191d4
Instruction ID: 6ab935cc9e432f45747ae630e4959b93b76825234ebef35db94ce6d5916d572b
Opcode Fuzzy Hash: decc2da6846149065e747433b686ffe20880dedc2611ac47de6390cb5f5191d4
Instruction Fuzzy Hash: 61514033A14B8586EB508F61E4447DEB7B8F784B84F501129EE4A57B58DF3CCA4ACB40

Function 000000013FF8DB5C Relevance: 6.1, APIs: 4, Instructions: 104COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000000013FF8DBAF
WideCharToMultiByte.KERNEL32 ref: 000000013FF8DC81
GetLastError.KERNEL32 ref: 000000013FF8DCA4
_invalid_parameter_noinfo.LIBCMT ref: 000000013FF8DCD6

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: _invalid_parameter_noinfo$ByteCharErrorLastMultiWide
String ID:
API String ID: 4141327611-0
Opcode ID: fdb879c7c344a6dcddabd48f24568e2f5e84c2dc3f6ceef9c32cec135b3ccbbf
Instruction ID: aa298106199a1946e59c6f5ab4d81af7098849518c8f6bb4285ab20af561871c
Opcode Fuzzy Hash: fdb879c7c344a6dcddabd48f24568e2f5e84c2dc3f6ceef9c32cec135b3ccbbf
Instruction Fuzzy Hash: CD41A333E047A086FB659F11D1443EDBAA8EF92B94F148139DF5947ADADB78CA438700

Function 000000013FF63980 Relevance: 6.1, APIs: 4, Instructions: 101fileCOMMON

Download Yara Rule

APIs

MoveFileW.KERNEL32 ref: 000000013FF639BD
MoveFileW.KERNEL32 ref: 000000013FF63A34
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF63AEB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF63AF1

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: FileMove_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3823481717-0
Opcode ID: bbac506f016d9360db9e17d2d1671c16b614b755f6a366ad0dc26eec498b4da2
Instruction ID: 3fccc20f3278d315b1736839b82e23f142a7fc16eefe27e3617d2b124c4b0d65
Opcode Fuzzy Hash: bbac506f016d9360db9e17d2d1671c16b614b755f6a366ad0dc26eec498b4da2
Instruction Fuzzy Hash: CE415B73F10A5084FB00CF75E8853DD237ABB45BA8F505229DE5966B99DF74C646C200

Function 000000013FF90B78 Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,000000013FF8C45B), ref: 000000013FF90B91
WideCharToMultiByte.KERNEL32 ref: 000000013FF90BF3
WideCharToMultiByte.KERNEL32 ref: 000000013FF90C2D
FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,000000013FF8C45B), ref: 000000013FF90C57

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$Free
String ID:
API String ID: 1557788787-0
Opcode ID: 23704c5f87cc5d65a6a85ab0da0438508b9fc27f2b888927c3d6011bf25654c1
Instruction ID: 2af102a9dba96140cbf7985fbdccb3a6d5870fb3b6c0d28cf8bf8d17cfd7b1ce
Opcode Fuzzy Hash: 23704c5f87cc5d65a6a85ab0da0438508b9fc27f2b888927c3d6011bf25654c1
Instruction Fuzzy Hash: 57216532F14B9082E6649F22644035AB6A9FB94BD4F484139DE9EA3BB4DF38C5538704

Function 000000013FF8D440 Relevance: 6.0, APIs: 4, Instructions: 43COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,000000013FF87F28,?,?,?,000000013FF89D35), ref: 000000013FF8D44A
SetLastError.KERNEL32(?,?,?,000000013FF87F28,?,?,?,000000013FF89D35), ref: 000000013FF8D4B2
SetLastError.KERNEL32(?,?,?,000000013FF87F28,?,?,?,000000013FF89D35), ref: 000000013FF8D4C8
abort.LIBCMT ref: 000000013FF8D4CE

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: ErrorLast$abort
String ID:
API String ID: 1447195878-0
Opcode ID: a46f80a814de90fc6a6f27f4ba991d7ab4b28824e48526204554d6c2ee2a7ff7
Instruction ID: db1dda04a264e5f8eabd358e2691aab70727d201351bfe548656818ecf7182aa
Opcode Fuzzy Hash: a46f80a814de90fc6a6f27f4ba991d7ab4b28824e48526204554d6c2ee2a7ff7
Instruction Fuzzy Hash: 3F017C33F0165042FF58BB31A69A3ED19AD5F44BD0F14453CDD1A437E6ED28DA078600

Function 000000013FF78590 Relevance: 6.0, APIs: 4, Instructions: 21COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 000000013FF78598
GetDeviceCaps.GDI32 ref: 000000013FF785AE
GetDeviceCaps.GDI32 ref: 000000013FF785C2
ReleaseDC.USER32 ref: 000000013FF785D3

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: de15d0a72ac65e47349a1b4cc9ca260558533dfe27db70e7b1e031f833f09c6c
Instruction ID: 2f77feb4314d988245bbb11a9379c4c59f421d309bdc4c2bded42d8209b5e427
Opcode Fuzzy Hash: de15d0a72ac65e47349a1b4cc9ca260558533dfe27db70e7b1e031f833f09c6c
Instruction Fuzzy Hash: A4E01272E0170882FF0D5B71A8593562194AB48B45F18443D8C1B47350DD3CCE8BC710

Function 000000013FF5E34C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 176COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF5E549

Strings

DXGIDebug.dll, xrefs: 000000013FF5E35A

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: DXGIDebug.dll
API String ID: 3668304517-540382549
Opcode ID: 30735fc0874bb79453b7a58344767550bacd8fea16fe076cd684d77636adcf15
Instruction ID: f4224294ce50462441d44c2daeb7227066571cd2bb2bff2eb20484343265a5e7
Opcode Fuzzy Hash: 30735fc0874bb79453b7a58344767550bacd8fea16fe076cd684d77636adcf15
Instruction Fuzzy Hash: DE718B73A10B8086EB14CF25E9443DDB3A8FB54B98F544229DFA907B95DF78D262C304

Function 000000013FF8E1F4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000000013FF8E237

Strings

gfff, xrefs: 000000013FF8E362
e+000, xrefs: 000000013FF8E2DF

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: e+000$gfff
API String ID: 3215553584-3030954782
Opcode ID: ffbcb58cc87a1110f60409a8afde5d08377aab6ce8cf060c3284a5669936e3c2
Instruction ID: 06721955f62dd5d2d9a0265cd6b3ee04f3b9fed9d9fb58ace36348e9e571de5b
Opcode Fuzzy Hash: ffbcb58cc87a1110f60409a8afde5d08377aab6ce8cf060c3284a5669936e3c2
Instruction Fuzzy Hash: EC51F173B147E086E7258B7999413D97F99A381B94F089239CEA887BD6CA2CC946C701

Function 000000013FF69408 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108COMMON

Download Yara Rule

APIs

Part of subcall function 000000013FF695A8: swprintf.LEGACY_STDIO_DEFINITIONS ref: 000000013FF695E6

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF6959C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FF695A2

Strings

SIZE, xrefs: 000000013FF69443

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$swprintf
String ID: SIZE
API String ID: 449872665-3243624926
Opcode ID: 6bf5c94b90f936377cecc09889f3643346e9af6ef61bc9371a2428e611e7cd9c
Instruction ID: 1863186a0d9d4e731f3913923c392302acd3c2741423ba4d1107a73fb4272c4f
Opcode Fuzzy Hash: 6bf5c94b90f936377cecc09889f3643346e9af6ef61bc9371a2428e611e7cd9c
Instruction Fuzzy Hash: 1541A673A2078085EE20DF24E4453EDA3A4E795BA4F504229EF9D466D6EF78C786C700

Function 000000013FF8C2C0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 107COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000000013FF8C2EA
GetModuleFileNameA.KERNEL32(?,?,?,?,?,000000013FF82CD5), ref: 000000013FF8C30B

Strings

C:\Users\user\Desktop\0442.pdf.exe, xrefs: 000000013FF8C2F9

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: FileModuleName_invalid_parameter_noinfo
String ID: C:\Users\user\Desktop\0442.pdf.exe
API String ID: 3307058713-4294395081
Opcode ID: 2b307fc7043d57580c2760bc14d10e66149d3294dbd6a1f00798eb6953a6f573
Instruction ID: b545f8bbee7250cb109d175cba23ae7f46013cbf800f3033cd8f8a505923dc2c
Opcode Fuzzy Hash: 2b307fc7043d57580c2760bc14d10e66149d3294dbd6a1f00798eb6953a6f573
Instruction Fuzzy Hash: A7414D33A00A648AEB15DF25A4413ED7BECEB84BD4F55403AEE4A47B95DE35CA83C740

Function 000000013FF79B40 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 104COMMON

Download Yara Rule

APIs

Part of subcall function 000000013FF5255C: GetDlgItem.USER32 ref: 000000013FF525AC
Part of subcall function 000000013FF5255C: SetWindowTextW.USER32 ref: 000000013FF525C8

EndDialog.USER32 ref: 000000013FF79C24
SetDlgItemTextW.USER32 ref: 000000013FF79CAA

Strings

ASKNEXTVOL, xrefs: 000000013FF79B72

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: ASKNEXTVOL
API String ID: 445417207-3402441367
Opcode ID: 97ebd98f0834f70bd8f3ada112357d921bc9d5e9383391aa045354938bfaeae3
Instruction ID: e777c5b2998591fcb0a3f6ca9decd89e4c57ba4b5f43602e83b36ef0b3ef056f
Opcode Fuzzy Hash: 97ebd98f0834f70bd8f3ada112357d921bc9d5e9383391aa045354938bfaeae3
Instruction Fuzzy Hash: 58418E33B0469482FA249B26E9543EA67A9B789BC4F14013DDE49577A9DE38CA4B8340

Function 000000013FF69638 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON

Download Yara Rule

APIs

_snwprintf.LEGACY_STDIO_DEFINITIONS ref: 000000013FF696EA

Part of subcall function 000000013FF70F68: WideCharToMultiByte.KERNEL32 ref: 000000013FF70F99

Strings

$%s, xrefs: 000000013FF696D7
@%s, xrefs: 000000013FF696CE

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: ByteCharMultiWide_snwprintf
String ID: $%s$@%s
API String ID: 2650857296-834177443
Opcode ID: 68d6d98aec82f67e7f26d78b4367655257a27e60e60eb814561ac576190adeba
Instruction ID: e05307d8c718e5056e986c566b7932a77797eec19d0dc1c640c6bd9c5cca46af
Opcode Fuzzy Hash: 68d6d98aec82f67e7f26d78b4367655257a27e60e60eb814561ac576190adeba
Instruction Fuzzy Hash: 4031AFB3B10A8496EA608F66E4407DAA7A8F7447D8F40103AEE0D17795EF39C607C740

Function 000000013FF8EB04 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32 ref: 000000013FF8EB76
GetFileType.KERNEL32 ref: 000000013FF8EB8C

Strings

@, xrefs: 000000013FF8EBB7

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: FileHandleType
String ID: @
API String ID: 3000768030-2766056989
Opcode ID: 01c4e23626c5bd34e0d32a71787dfe5976e9b76bf070a7e2fa99837352baeece
Instruction ID: f2dfe559e724405980bf906a4008a816ced3b55be4aae108d71da0857403ad94
Opcode Fuzzy Hash: 01c4e23626c5bd34e0d32a71787dfe5976e9b76bf070a7e2fa99837352baeece
Instruction Fuzzy Hash: D7219933B047A141EB648B6598903A92E59E785778F28132DDE6B077F4DA39CA83C342

Function 000000013FF84078 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,000000013FF81D3E), ref: 000000013FF840BC
RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,000000013FF81D3E), ref: 000000013FF84102

Strings

csm, xrefs: 000000013FF840EF

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 995ce70781ed1107fbe35a2df86b6ab92d82f2488d4e31342cdb9a65d606da21
Instruction ID: 8524ca9b2331be2ee2b58cf2e89e2ff8fe886adce84e0b52fe98bc196282431a
Opcode Fuzzy Hash: 995ce70781ed1107fbe35a2df86b6ab92d82f2488d4e31342cdb9a65d606da21
Instruction Fuzzy Hash: BA111F33614B4482EB218F15E54079A7BE5F788B94F584225DF8D07B58DF3DC656CB00

Function 000000013FF6EA5C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,?,?,?,?,?,?,?,000000013FF6E95F,?,?,?,000000013FF6463A,?,?,?), ref: 000000013FF6EA63
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,000000013FF6E95F,?,?,?,000000013FF6463A,?,?,?), ref: 000000013FF6EA6E

Strings

WaitForMultipleObjects error %d, GetLastError %d, xrefs: 000000013FF6EA78

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: ErrorLastObjectSingleWait
String ID: WaitForMultipleObjects error %d, GetLastError %d
API String ID: 1211598281-2248577382
Opcode ID: 98ce5a6e9b01a49333d4d7b683bb298ff4a8e953ba0927a3bf2f7aa8eb90df55
Instruction ID: a8a23495226b5e12787bb9edaa2ca8d9076aaeffd101800d42ce8adb6a0d2d87
Opcode Fuzzy Hash: 98ce5a6e9b01a49333d4d7b683bb298ff4a8e953ba0927a3bf2f7aa8eb90df55
Instruction Fuzzy Hash: A7E04633E1180082F610AB30AC867D92218B7A07B0FE00378D93A812F29B288F8BC700

Function 000000013FF6A43C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 000000013FF6A447
FindResourceW.KERNEL32 ref: 000000013FF6A45D

Strings

RTL, xrefs: 000000013FF6A453

Memory Dump Source

Source File: 00000000.00000002.371204795.000000013FF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FF50000, based on PE: true

Associated: 00000000.00000002.371180781.000000013FF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371213216.000000013FF98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371218611.000000013FFB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371327083.000000013FFBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371333758.000000013FFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.371393428.000000013FFBF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ff50000_0442.jbxd

Similarity

API ID: FindHandleModuleResource
String ID: RTL
API String ID: 3537982541-834975271
Opcode ID: e39cf6139d6c3c808756c827088780cb49cd2dd94430b396554b51375d39015a
Instruction ID: c723b660f90fa07bd44e04e585ed9eb64142ba803bc8f0539bdbcd963f8b9b6c
Opcode Fuzzy Hash: e39cf6139d6c3c808756c827088780cb49cd2dd94430b396554b51375d39015a
Instruction Fuzzy Hash: 61D0A7B3F0170082FF294BB1A8493E61654571CF41F88503D8C06063A0EE3CC2DAC750

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 0442.pdf.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Config.Msi\49c0c3.rbs

C:\Program Files (x86)\LiteManager Pro - Server\AledensoftIpcServer.dll

C:\Program Files (x86)\LiteManager Pro - Server\EULA.rtf

C:\Program Files (x86)\LiteManager Pro - Server\English.lg

C:\Program Files (x86)\LiteManager Pro - Server\HookDrv.dll

C:\Program Files (x86)\LiteManager Pro - Server\Lang\Taiwan.lg

C:\Program Files (x86)\LiteManager Pro - Server\Lang\Turkish.lg

C:\Program Files (x86)\LiteManager Pro - Server\Lang\Ukrainian.lg

C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe

C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe

C:\Program Files (x86)\LiteManager Pro - Server\ROMwln.dll

C:\Program Files (x86)\LiteManager Pro - Server\Russian.lg

C:\Program Files (x86)\LiteManager Pro - Server\files\ROMServer.exe

C:\Program Files (x86)\LiteManager Pro - Server\files\ROMViewer.exe

Windows Analysis Report
0442.pdf.exe

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.
Tactics:	Lateral Movement
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Flow, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre